intesar / NB-Sales

0 stars 0 forks source link

ABAC_Level1 on GET:/api/v1/transfers/{id} #1560

Closed intesar closed 4 years ago

intesar commented 4 years ago

Title: ABAC_Level1 Vulnerability on GET:/api/v1/transfers/{id} Project: NetBanking API Description: The ABAC exploit allows an attacker to read, modify, delete, add and perform actions on customer/un-authorized data.

Assertion Name: Attribute Based Access Control 1 (ABAC) ( 1 )

Overview: Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process. Access control also involves the act of granting and revoking those privileges. Attribute Based Access Control (ABAC) will grant or deny user requests based on arbitrary attributes of the user and arbitrary attributes of the object, and environment conditions that may be globally recognized and more relevant to the policies at hand.

'Attribute-based-access-control 1' identifies top-level/non-dependent resource/data/record vulnerabilities. Looks for private user/account data being illegally read, written, updated, deleted or operated by other users or tenants or accounts.

This scanner requires a private-account/user to create private data/resources e.g. UserA. And it also requires other users who shouldn't have any access to UserA's data like UserB, UserC, & UserD based on your App multi-tenancy model. e.g. UserA can be a user from tenant/org-a and UserB can be a user in tenant-b and UserC can be a user in tenant-c with admin privileges.

APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.

Severity: OWASP 2019 API Top 10 ranks ABAC vulnerabilities at Top 1 position and is named Broken Object Level Authorization. ( 2 )

Vulnerability Impact: With flawed or broken ABAC security control policy in place, The following are some of the consequences.

Exploitation: Attackers can exploit API endpoints that are vulnerable to broken object level authorization by manipulating the ID of an object that is sent within the request. This may lead to unauthorized access to sensitive data. This issue is extremely common in API-based applications because the server component usually does not fully track the client’s state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access.

Remediation: The following techniques may be checked for ensuring RBAC is in place ( 2 ) ( 3 ) ( 4 ).

References:
  1. Enforce Access Controls - https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html
  2. OWASP 2019 API Top 10 - https://github.com/OWASP/API-Security/raw/master/2019/en/dist/owasp-api-security-top-10.pdf
  3. OWASP Access Control Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html
  4. OWASP REST Security Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html

Risk: ABAC_Level1 Severity: High API Endpoint: http://95.217.118.53:8080/api/v1/transfers/2c9280847452ae000174788376da279c Environment: Master Playbook: ApiV1TransfersIdGetUseraCreateTransfersUsercDisallowAbac Researcher: [apisec Bot] QUICK TIPS Suggestion: Add access-control checks on incoming requests against all data calls. Effort Estimate: 2.0 Wire Logs: 02:55:15 [D] [ TCUAIAbac] : URL [http://95.217.118.53:8080/api/v1/transfers] 02:55:15 [D] [ TCUAIAbac] : Method [POST] 02:55:15 [D] [ TCUAIAbac] : Auth [UserA] 02:55:15 [D] [ TCUAIAbac] : Request [{ "confirmed" : false, "createdBy" : "", "createdDate" : "", "description" : "8kmMz03h", "id" : "", "inactive" : false, "location" : "8kmMz03h", "modifiedBy" : "", "modifiedDate" : "", "transactionType" : "CHECK", "version" : "" }] 02:55:15 [D] [ TCUAIAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[**********]}] 02:55:15 [D] [ TCUAIAbac] : Response [{ "requestId" : "None", "requestTime" : "2020-09-10T14:55:15.676+0000", "errors" : false, "messages" : [ ], "data" : { "id" : "2c9280847452ae000174788376da279c", "createdBy" : "2c928085730548680173054c9f720003", "createdDate" : "2020-09-10T14:55:15.674+0000", "modifiedBy" : "2c928085730548680173054c9f720003", "modifiedDate" : "2020-09-10T14:55:15.674+0000", "version" : null, "inactive" : false, "location" : "POvWEDn3", "description" : "POvWEDn3", "confirmed" : false, "transactionType" : "CHECK" }, "totalPages" : 0, "totalElements" : 0 }] 02:55:15 [D] [ TCUAIAbac] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzY2MjY5NmItMDM5Mi00OGQ0LWExNGEtYjZlZjNjZGRhN2Uy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:15 [D] [ TCUAIAbac] : StatusCode [200] 02:55:15 [D] [ TCUAIAbac] : Time [210] 02:55:15 [D] [ TCUAIAbac] : Size [485] 02:55:15 [I] [ TCUAIAbac] : Assertion [@StatusCode == 200 AND @Response.errors == false] resolved-to [200 == 200 AND false == false] result [Passed] 02:55:15 [D] [TCUAIAHeaders] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzY2MjY5NmItMDM5Mi00OGQ0LWExNGEtYjZlZjNjZGRhN2Uy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:15 [D] [TCUAIAHeaders] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzY2MjY5NmItMDM5Mi00OGQ0LWExNGEtYjZlZjNjZGRhN2Uy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:15 [D] [ TCUAIA]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzY2MjY5NmItMDM5Mi00OGQ0LWExNGEtYjZlZjNjZGRhN2Uy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:15 [D] [ TCUAIA]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzY2MjY5NmItMDM5Mi00OGQ0LWExNGEtYjZlZjNjZGRhN2Uy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:15 [D] [AVTIGUCTUDAbac] : URL [http://95.217.118.53:8080/api/v1/transfers/2c9280847452ae000174788376da279c] 02:55:15 [D] [AVTIGUCTUDAbac] : Method [GET] 02:55:15 [D] [AVTIGUCTUDAbac] : Auth [UserC] 02:55:15 [D] [AVTIGUCTUDAbac] : Request [] 02:55:15 [D] [AVTIGUCTUDAbac] : Request-Headers [{Accept=[application/json], Content-Type=[application/json], Authorization=[**********]}] 02:55:15 [D] [AVTIGUCTUDAbac] : Response [{ "requestId" : "None", "requestTime" : "2020-09-10T14:55:15.882+0000", "errors" : false, "messages" : [ ], "data" : { "id" : "2c9280847452ae000174788376da279c", "createdBy" : "2c928085730548680173054c9f720003", "createdDate" : "2020-09-10T14:55:15.674+0000", "modifiedBy" : "2c928085730548680173054c9f720003", "modifiedDate" : "2020-09-10T14:55:15.674+0000", "version" : null, "inactive" : false, "location" : "POvWEDn3", "description" : "POvWEDn3", "confirmed" : false, "transactionType" : "CHECK" }, "totalPages" : 0, "totalElements" : 0 }] 02:55:15 [D] [AVTIGUCTUDAbac] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjJlODAyYWMtYjZiYS00NTMxLWI3MjItNjY4MWE0NTZlMGI2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:15 [D] [AVTIGUCTUDAbac] : StatusCode [200] 02:55:15 [D] [AVTIGUCTUDAbac] : Time [204] 02:55:15 [D] [AVTIGUCTUDAbac] : Size [485] 02:55:15 [E] [AVTIGUCTUDAbac] : Assertion [@StatusCode == 401 OR @StatusCode == 404 OR @Response.errors == true] resolved-to [200 == 401 OR 200 == 404 OR false == true] result [Failed] 02:55:16 [D] [AVTIDTAAbac] : URL [http://95.217.118.53:8080/api/v1/transfers/2c9280847452ae000174788376da279c] 02:55:16 [D] [AVTIDTAAbac] : Method [DELETE] 02:55:16 [D] [AVTIDTAAbac] : Request [null] 02:55:16 [D] [AVTIDTAAbac] : Auth [UserA] 02:55:16 [D] [AVTIDTAAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlcjFAbmV0YmFua2luZy5pbzphZG1pbjEyMyQ=]}] 02:55:16 [D] [AVTIDTAAbac] : Response [{ "requestId" : "None", "requestTime" : "2020-09-10T14:55:16.084+0000", "errors" : false, "messages" : [ ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 02:55:16 [D] [AVTIDTAAbac] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWJkOTllMjYtNDA2YS00OWM2LTllM2QtZDFkMjI4ZjE1NmY2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:16 [D] [AVTIDTAAbac] : StatusCode [200] 02:55:16 [D] [AVTIDTAAbac] : Time [201] 02:55:16 [D] [AVTIDTAAbac] : Size [139] 02:55:16 [I] [AVTIGUCTUDAbac] : Assertion [@StatusCode == 200] resolved-to [200 == 200] result [Passed] IMPORTANT LINKS Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/8a8081bb745387ec017478837dfd3c89/details Project: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/jobs Environment: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/environments/8a8081766fc3e2a1016fc421d7155a15/edit Scan Dashboard: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/jobs/8a8081766fc3e2a1016fc4230f426628/runs/8a8081bb745387ec017478834c8f3c5c Playbook: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/template/ApiV1TransfersIdGetUseraCreateTransfersUsercDisallowAbac Coverage: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/configuration Code Sample: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/8a8081bb745387ec017478837dfd3c89/codesamples PS: Please contact support@apisec.ai for apisec access and login issues. --- apisec Bot ---
intesar commented 4 years ago

Message : This issue is manually closed from FX control plane.

Title: ABAC_Level1 Vulnerability on GET:/api/v1/transfers/{id} Project: NetBanking API Description:

Assertion Name: Attribute Based Access Control 1 (ABAC) ( 1 )

Overview: Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process. Access control also involves the act of granting and revoking those privileges. Attribute Based Access Control (ABAC) will grant or deny user requests based on arbitrary attributes of the user and arbitrary attributes of the object, and environment conditions that may be globally recognized and more relevant to the policies at hand.

'Attribute-based-access-control 1' identifies top-level/non-dependent resource/data/record vulnerabilities. Looks for private user/account data being illegally read, written, updated, deleted or operated by other users or tenants or accounts.

This scanner requires a private-account/user to create private data/resources e.g. UserA. And it also requires other users who shouldn't have any access to UserA's data like UserB, UserC, & UserD based on your App multi-tenancy model. e.g. UserA can be a user from tenant/org-a and UserB can be a user in tenant-b and UserC can be a user in tenant-c with admin privileges.

APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.

Severity: OWASP 2019 API Top 10 ranks ABAC vulnerabilities at Top 1 position and is named Broken Object Level Authorization. ( 2 )

Vulnerability Impact: With flawed or broken ABAC security control policy in place, The following are some of the consequences.

Exploitation: Attackers can exploit API endpoints that are vulnerable to broken object level authorization by manipulating the ID of an object that is sent within the request. This may lead to unauthorized access to sensitive data. This issue is extremely common in API-based applications because the server component usually does not fully track the client’s state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access.

Remediation: The following techniques may be checked for ensuring RBAC is in place ( 2 ) ( 3 ) ( 4 ).

References:
  1. Enforce Access Controls - https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html
  2. OWASP 2019 API Top 10 - https://github.com/OWASP/API-Security/raw/master/2019/en/dist/owasp-api-security-top-10.pdf
  3. OWASP Access Control Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html
  4. OWASP REST Security Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html

Risk: ABAC_Level1 Severity: High API Endpoint: http://95.217.118.53:8080/api/v1/transfers/2c9280847452ae000174788376da279c Environment: Master Playbook: ApiV1TransfersIdGetUseraCreateTransfersUsercDisallowAbac Researcher: UserC QUICK TIPS Suggestion: Effort Estimate: Wire Logs: 02:55:15 [D] [ TCUAIAbac] : URL [http://95.217.118.53:8080/api/v1/transfers] 02:55:15 [D] [ TCUAIAbac] : Method [POST] 02:55:15 [D] [ TCUAIAbac] : Auth [UserA] 02:55:15 [D] [ TCUAIAbac] : Request [{ "confirmed" : false, "createdBy" : "", "createdDate" : "", "description" : "8kmMz03h", "id" : "", "inactive" : false, "location" : "8kmMz03h", "modifiedBy" : "", "modifiedDate" : "", "transactionType" : "CHECK", "version" : "" }] 02:55:15 [D] [ TCUAIAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[**********]}] 02:55:15 [D] [ TCUAIAbac] : Response [{ "requestId" : "None", "requestTime" : "2020-09-10T14:55:15.676+0000", "errors" : false, "messages" : [ ], "data" : { "id" : "2c9280847452ae000174788376da279c", "createdBy" : "2c928085730548680173054c9f720003", "createdDate" : "2020-09-10T14:55:15.674+0000", "modifiedBy" : "2c928085730548680173054c9f720003", "modifiedDate" : "2020-09-10T14:55:15.674+0000", "version" : null, "inactive" : false, "location" : "POvWEDn3", "description" : "POvWEDn3", "confirmed" : false, "transactionType" : "CHECK" }, "totalPages" : 0, "totalElements" : 0 }] 02:55:15 [D] [ TCUAIAbac] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzY2MjY5NmItMDM5Mi00OGQ0LWExNGEtYjZlZjNjZGRhN2Uy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:15 [D] [ TCUAIAbac] : StatusCode [200] 02:55:15 [D] [ TCUAIAbac] : Time [210] 02:55:15 [D] [ TCUAIAbac] : Size [485] 02:55:15 [I] [ TCUAIAbac] : Assertion [@StatusCode == 200 AND @Response.errors == false] resolved-to [200 == 200 AND false == false] result [Passed] 02:55:15 [D] [TCUAIAHeaders] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzY2MjY5NmItMDM5Mi00OGQ0LWExNGEtYjZlZjNjZGRhN2Uy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:15 [D] [TCUAIAHeaders] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzY2MjY5NmItMDM5Mi00OGQ0LWExNGEtYjZlZjNjZGRhN2Uy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:15 [D] [ TCUAIA]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzY2MjY5NmItMDM5Mi00OGQ0LWExNGEtYjZlZjNjZGRhN2Uy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:15 [D] [ TCUAIA]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzY2MjY5NmItMDM5Mi00OGQ0LWExNGEtYjZlZjNjZGRhN2Uy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:15 [D] [AVTIGUCTUDAbac] : URL [http://95.217.118.53:8080/api/v1/transfers/2c9280847452ae000174788376da279c] 02:55:15 [D] [AVTIGUCTUDAbac] : Method [GET] 02:55:15 [D] [AVTIGUCTUDAbac] : Auth [UserC] 02:55:15 [D] [AVTIGUCTUDAbac] : Request [] 02:55:15 [D] [AVTIGUCTUDAbac] : Request-Headers [{Accept=[application/json], Content-Type=[application/json], Authorization=[**********]}] 02:55:15 [D] [AVTIGUCTUDAbac] : Response [{ "requestId" : "None", "requestTime" : "2020-09-10T14:55:15.882+0000", "errors" : false, "messages" : [ ], "data" : { "id" : "2c9280847452ae000174788376da279c", "createdBy" : "2c928085730548680173054c9f720003", "createdDate" : "2020-09-10T14:55:15.674+0000", "modifiedBy" : "2c928085730548680173054c9f720003", "modifiedDate" : "2020-09-10T14:55:15.674+0000", "version" : null, "inactive" : false, "location" : "POvWEDn3", "description" : "POvWEDn3", "confirmed" : false, "transactionType" : "CHECK" }, "totalPages" : 0, "totalElements" : 0 }] 02:55:15 [D] [AVTIGUCTUDAbac] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjJlODAyYWMtYjZiYS00NTMxLWI3MjItNjY4MWE0NTZlMGI2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:15 [D] [AVTIGUCTUDAbac] : StatusCode [200] 02:55:15 [D] [AVTIGUCTUDAbac] : Time [204] 02:55:15 [D] [AVTIGUCTUDAbac] : Size [485] 02:55:15 [E] [AVTIGUCTUDAbac] : Assertion [@StatusCode == 401 OR @StatusCode == 404 OR @Response.errors == true] resolved-to [200 == 401 OR 200 == 404 OR false == true] result [Failed] 02:55:16 [D] [AVTIDTAAbac] : URL [http://95.217.118.53:8080/api/v1/transfers/2c9280847452ae000174788376da279c] 02:55:16 [D] [AVTIDTAAbac] : Method [DELETE] 02:55:16 [D] [AVTIDTAAbac] : Request [null] 02:55:16 [D] [AVTIDTAAbac] : Auth [UserA] 02:55:16 [D] [AVTIDTAAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlcjFAbmV0YmFua2luZy5pbzphZG1pbjEyMyQ=]}] 02:55:16 [D] [AVTIDTAAbac] : Response [{ "requestId" : "None", "requestTime" : "2020-09-10T14:55:16.084+0000", "errors" : false, "messages" : [ ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 02:55:16 [D] [AVTIDTAAbac] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWJkOTllMjYtNDA2YS00OWM2LTllM2QtZDFkMjI4ZjE1NmY2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 10 Sep 2020 14:55:15 GMT]}] 02:55:16 [D] [AVTIDTAAbac] : StatusCode [200] 02:55:16 [D] [AVTIDTAAbac] : Time [201] 02:55:16 [D] [AVTIDTAAbac] : Size [139] 02:55:16 [I] [AVTIGUCTUDAbac] : Assertion [@StatusCode == 200] resolved-to [200 == 200] result [Passed] IMPORTANT LINKS Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/null/details Project: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/jobs Environment: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/environments/8a8081766fc3e2a1016fc421d7155a15/edit Scan Dashboard: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/jobs/8a8081766fc3e2a1016fc4230f426628/runs/8a8081bb745387ec017478834c8f3c5c Playbook: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/template/ApiV1TransfersIdGetUseraCreateTransfersUsercDisallowAbac Coverage: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/configuration Code Sample: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/null/codesamples PS: Please contact support@apisec.ai for apisec access and login issues. --- apisec Bot ---