search

jaleelsyed / fx-local

0 stars 0 forks source link

Pii on GET:/api/v1/primary-transaction/{id} #260

Closed jaleelsyed closed 1 year ago

jaleelsyed commented 1 year ago

Title: Pii Vulnerability on GET:/api/v1/primary-transaction/{id} Project: NB 58 Description:

Assertion

<p><font style="color: #ef5350;"><b>Overview:</b> Personally Identifiable Information or PII is any data that can be used to break the anonymity of a interaction. It is closely tied to privacy and tracking regulations. Examples of PII are government ID numbers, address, phone numbers. </font></p>
<p><font style="color: #ef5350;"><b>Severity:</b> Varies by data exposed</font></p>
<p><font style="color: #ef5350;"><b>Impact:</b> High Business Impact</font></p>
<p><font style="color: #ef5350;"><b>Exploitation:</b> Medium</font></p>

<p><font style="color: #ef5350;"><b>References:</b></font>
    <ul>
        <li><a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">OWASP Sensitive Data Exposure</li>
    </ul>
</p>

Risk: Pii Severity: Medium API Endpoint: http://netbanking.apisec.ai:8080/api/v1/primary-transaction/null Environment: Master Playbook: ApiV1PrimaryTransactionIdGetPii Researcher: [apisec Bot]

QUICK TIPS

Suggestion: Effort Estimate: null Hrs Wire Logs: 03:03:18 [D] [ AVPTIGPii] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/primary-transaction/null] 03:03:18 [D] [ AVPTIGPii] : Method [GET] 03:03:18 [D] [ AVPTIGPii] : Authorization [Default] 03:03:18 [D] [ AVPTIGPii] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization:"Basic *****"]] 03:03:18 [D] [ AVPTIGPii] : Request [] 03:03:18 [D] [ AVPTIGPii] : Status code [200] 03:03:18 [D] [ AVPTIGPii] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=ZWI5NmY0MWItNWU0Mi00YzBkLWJjNmQtNjMyZDc4YjRjYTYy; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Tue, 17 Jan 2023 15:03:17 GMT"]] 03:03:18 [D] [ AVPTIGPii] : Response [Hidden]. //To view the response set 'showResponse: true' under policies 03:03:18 [D] [ AVPTIGPii] : Response time [223] 03:03:18 [D] [ AVPTIGPii] : Response size [306] 03:03:18 [I] [ AVPTIGPii] : Assertion [@StatusCode != 404] resolved-to [200 != 404] result [Passed]

IMPORTANT LINKS

Vulnerability Details: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard/8adc823e85befabf0185c041a8da122b/details

Project: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard

Environment: https://cloud.apisec.ai/#/app/config-environments/projects/8adc80ec84e1cb220184e5f27d494dfb/environmentList

Scan Dashboard: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/profiles/8adc80eb84e1c98e0184e5f2a02953c6/runs/8adc800d85bef5300185c04170912a01

Playbook: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/playbooks/ApiV1PrimaryTransactionIdGetPii

Coverage: https://cloud.apisec.ai/#/app/config-categories/projects/8adc80ec84e1cb220184e5f27d494dfb/categories

Code Sample: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard/8adc823e85befabf0185c041a8da122b/codesamples

PS: Please contact support@apisec.ai for apisec access and login issues.

--- apisec Bot ---

jaleelsyed commented 1 year ago

Message : This issue is manually closed from FX control plane.

Title: Pii Vulnerability on GET:/api/v1/primary-transaction/{id} Project: NB 58 Description:

Assertion

<p><font style="color: #ef5350;"><b>Overview:</b> Personally Identifiable Information or PII is any data that can be used to break the anonymity of a interaction. It is closely tied to privacy and tracking regulations. Examples of PII are government ID numbers, address, phone numbers. </font></p>
<p><font style="color: #ef5350;"><b>Severity:</b> Varies by data exposed</font></p>
<p><font style="color: #ef5350;"><b>Impact:</b> High Business Impact</font></p>
<p><font style="color: #ef5350;"><b>Exploitation:</b> Medium</font></p>

<p><font style="color: #ef5350;"><b>References:</b></font>
    <ul>
        <li><a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">OWASP Sensitive Data Exposure</li>
    </ul>
</p>

Risk: Pii Severity: Medium API Endpoint: http://netbanking.apisec.ai:8080/api/v1/primary-transaction/null Environment: Master Playbook: ApiV1PrimaryTransactionIdGetPii Researcher: Default

QUICK TIPS

Suggestion: Effort Estimate: null Hrs Wire Logs:

IMPORTANT LINKS

Vulnerability Details: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard/8adc823e85befabf0185c041a8da122b/details

Project: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard

Environment: https://cloud.apisec.ai/#/app/config-environments/projects/8adc80ec84e1cb220184e5f27d494dfb/environmentList

Scan Dashboard: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/profiles/8adc80eb84e1c98e0184e5f2a02953c6/runs/8adc800d85bef5300185c04170912a01

Playbook: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/playbooks/ApiV1PrimaryTransactionIdGetPii

Coverage: https://cloud.apisec.ai/#/app/config-categories/projects/8adc80ec84e1cb220184e5f27d494dfb/categories

Code Sample: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard/8adc823e85befabf0185c041a8da122b/codesamples

PS: Please contact support@apisec.ai for apisec access and login issues.

--- apisec Bot ---