Open intesar opened 4 years ago
Title: Incremental_Ids Vulnerability on POST:/api/v1/issues/ui Project: NetBanking API Description:
Title: Incremental_Ids Vulnerability on POST:/api/v1/issues/ui Project: NetBanking API Description:
Assertion Incremental Ids scanning checks if the Auto generated IDs associated with the resources in sequential. Resources with Sequential IDs are vulnerable since they are easy to guess.Risk: Incremental_Ids Severity: Medium API Endpoint: http://95.217.118.53:8080/api/v1/issues/ui Environment: Master Playbook: ApiV1IssuesUiPostIncrementalIds Researcher: [apisec Bot] QUICK TIPS Suggestion: Effort Estimate: Wire Logs: 09:57:44 [D] [ AVIUPIIds] : URL [http://95.217.118.53:8080/api/v1/issues/ui] 09:57:44 [D] [ AVIUPIIds] : Method [POST] 09:57:44 [D] [ AVIUPIIds] : Auth [Default] 09:57:44 [D] [ AVIUPIIds] : Request [{ "assertions" : "fNknUM2A", "assignedTo" : "fNknUM2A", "createdBy" : "", "createdDate" : "", "description" : "fNknUM2A", "endpoint" : "fNknUM2A", "env" : "fNknUM2A", "failedAssertions" : "fNknUM2A", "headers" : [ "fNknUM2A" ], "id" : "", "inactive" : false, "issueName" : "fNknUM2A", "issueStatus" : "OPEN", "issueType" : "MANUAL", "method" : "GET", "modifiedBy" : "", "modifiedDate" : "", "project" : { "createdBy" : "", "createdDate" : "", "description" : "fNknUM2A", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "fNknUM2A", "org" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "fNknUM2A", "version" : "" }, "refId" : "fNknUM2A", "version" : "" }, "requestBody" : "fNknUM2A", "responseBody" : "fNknUM2A", "responseHeaders" : "fNknUM2A", "result" : "fNknUM2A", "statusCode" : "fNknUM2A", "tags" : [ "fNknUM2A" ], "version" : "" }] 09:57:44 [D] [ AVIUPIIds] : Request-Headers [{Accept=[application/json], Content-Type=[application/json], Authorization=[**********]}] 09:57:44 [D] [ AVIUPIIds] : Response [{ "requestId" : "None", "requestTime" : "2020-09-18T21:57:44.142+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : null, "value" : "Invalid request for project" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 09:57:44 [D] [ AVIUPIIds] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjMzNjUxMzQtZTA1YS00MDIzLWFkZTItNWM4ZDJhMzNhNWM4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Fri, 18 Sep 2020 21:57:44 GMT]}] 09:57:44 [D] [ AVIUPIIds] : StatusCode [200] 09:57:44 [D] [ AVIUPIIds] : Time [293] 09:57:44 [D] [ AVIUPIIds] : Size [203] 09:57:44 [I] [ AVIUPIIds] : Assertion [@StatusCode == 200] resolved-to [200 == 200] result [Passed] 09:57:44 [E] [ AVIUPIIds] : Assertion [@Response.data.id != @NULL AND @Response.data.id !=~ [0-9]+] resolved-to [ != AND !=~ [0-9]+] result [Failed] IMPORTANT LINKS Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/8a8084b3749c35170174a339224b04b8/details Project: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/jobs Environment: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/environments/8a8081766fc3e2a1016fc421d7155a15/edit Scan Dashboard: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/jobs/8a8081766fc3e2a1016fc4230f426628/runs/8a8084b3749c35170174a339191d04b2 Playbook: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/template/ApiV1IssuesUiPostIncrementalIds Coverage: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/configuration Code Sample: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/8a8084b3749c35170174a339224b04b8/codesamples PS: Please contact support@apisec.ai for apisec access and login issues. --- apisec Bot ---