jaleelsyed
commented
5 years ago Project : online banking app
Job : Default
Env : Default
Message : This issue is manually closed from FX control plane.
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 403
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDU5ZDFjOTItNzQ1OS00ZjhhLTk1MjUtZjhhNGUyZTUxNGUz; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 24 Jan 2019 04:53:55 GMT]}
Endpoint : http://54.215.136.217/api/v1/orgs/
Request :
Response :
{
"timestamp" : "2019-01-24T04:53:56.448+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs/"
}
Logs :
Assertion [@StatusCode == 401 OR @StatusCode == 403 OR @Response.errors == true] resolved-to [403 == 401 OR 403 == 403 OR == true] result [Passed]
--- FX Bot ---
Project : online banking app
Job : Default
Env : Default
Category : ABAC_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 403
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDU5ZDFjOTItNzQ1OS00ZjhhLTk1MjUtZjhhNGUyZTUxNGUz; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 24 Jan 2019 04:53:55 GMT]}
Endpoint : http://54.215.136.217/api/v1/orgs/
Request :
Response :
{ "timestamp" : "2019-01-24T04:53:56.448+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs/" }
Logs :
2019-01-24 04:53:55 DEBUG [ OrgCreateUserAInitAbac] : URL [http://54.215.136.217/api/v1/orgs] 2019-01-24 04:53:55 DEBUG [ OrgCreateUserAInitAbac] : Method [POST] 2019-01-24 04:53:55 DEBUG [ OrgCreateUserAInitAbac] : Request [{ "billingEmail" : "constantin.vandervort@hotmail.com", "company" : "Schumm-Schumm", "createdBy" : "", "createdDate" : "", "description" : "JVZLzaNq", "id" : "", "inactive" : false, "location" : "JVZLzaNq", "modifiedBy" : "", "modifiedDate" : "", "name" : "JVZLzaNq", "orgPlan" : "BUSINESS", "orgType" : "ENTERPRISE", "version" : "" }] 2019-01-24 04:53:55 DEBUG [ OrgCreateUserAInitAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlcjJAb25saW5lc3VwcG9ydC5pbzphZG1pbjEyMyQ=]}] 2019-01-24 04:53:55 DEBUG [ OrgCreateUserAInitAbac] : Response [{ "timestamp" : "2019-01-24T04:53:55.618+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-01-24 04:53:55 DEBUG [ OrgCreateUserAInitAbac] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWEyNGZiMzUtYzRiYi00MWVlLTk4OGYtZjdjMzFkZWM2NTk0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 24 Jan 2019 04:53:54 GMT]}] 2019-01-24 04:53:55 DEBUG [ OrgCreateUserAInitAbac] : StatusCode [403] 2019-01-24 04:53:55 DEBUG [ OrgCreateUserAInitAbac] : Time [1319] 2019-01-24 04:53:55 DEBUG [ OrgCreateUserAInitAbac] : Size [121] 2019-01-24 04:53:55 ERROR [null] : Assertion [@StatusCode == 200 AND @Response.errors == false] resolved-to [403 == 200 AND == false] result [Failed] 2019-01-24 04:53:55 DEBUG [OrgCreateUserAInitAbac_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWEyNGZiMzUtYzRiYi00MWVlLTk4OGYtZjdjMzFkZWM2NTk0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 24 Jan 2019 04:53:54 GMT]}] 2019-01-24 04:53:55 DEBUG [OrgCreateUserAInitAbac_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWEyNGZiMzUtYzRiYi00MWVlLTk4OGYtZjdjMzFkZWM2NTk0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 24 Jan 2019 04:53:54 GMT]}] 2019-01-24 04:53:55 DEBUG [OrgCreateUserAInitAbac_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWEyNGZiMzUtYzRiYi00MWVlLTk4OGYtZjdjMzFkZWM2NTk0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 24 Jan 2019 04:53:54 GMT]}] 2019-01-24 04:53:55 DEBUG [OrgCreateUserAInitAbac_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWEyNGZiMzUtYzRiYi00MWVlLTk4OGYtZjdjMzFkZWM2NTk0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 24 Jan 2019 04:53:54 GMT]}] 2019-01-24 04:53:55 DEBUG [ApiV1OrgsIdGetUserbDisallowAbac] : URL [http://54.215.136.217/api/v1/orgs/] 2019-01-24 04:53:55 DEBUG [ApiV1OrgsIdGetUserbDisallowAbac] : Method [GET] 2019-01-24 04:53:55 DEBUG [ApiV1OrgsIdGetUserbDisallowAbac] : Request [] 2019-01-24 04:53:55 DEBUG [ApiV1OrgsIdGetUserbDisallowAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlcjNAb25saW5lc3VwcG9ydC5pbzphZG1pbjEyMyQ=]}] 2019-01-24 04:53:55 DEBUG [ApiV1OrgsIdGetUserbDisallowAbac] : Response [{ "timestamp" : "2019-01-24T04:53:56.448+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs/" }] 2019-01-24 04:53:55 DEBUG [ApiV1OrgsIdGetUserbDisallowAbac] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDU5ZDFjOTItNzQ1OS00ZjhhLTk1MjUtZjhhNGUyZTUxNGUz; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 24 Jan 2019 04:53:55 GMT]}] 2019-01-24 04:53:55 DEBUG [ApiV1OrgsIdGetUserbDisallowAbac] : StatusCode [403] 2019-01-24 04:53:55 DEBUG [ApiV1OrgsIdGetUserbDisallowAbac] : Time [757] 2019-01-24 04:53:55 DEBUG [ApiV1OrgsIdGetUserbDisallowAbac] : Size [122] 2019-01-24 04:53:55 INFO [ApiV1OrgsIdGetUserbDisallowAbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403 OR @Response.errors == true] resolved-to [403 == 401 OR 403 == 403 OR == true] result [Passed] 2019-01-24 04:53:56 DEBUG [ApiV1OrgsIdDeleteAbstractAbac] : URL [http://54.215.136.217/api/v1/orgs/] 2019-01-24 04:53:56 DEBUG [ApiV1OrgsIdDeleteAbstractAbac] : Method [DELETE] 2019-01-24 04:53:56 DEBUG [ApiV1OrgsIdDeleteAbstractAbac] : Request [null] 2019-01-24 04:53:56 DEBUG [ApiV1OrgsIdDeleteAbstractAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlcjJAb25saW5lc3VwcG9ydC5pbzphZG1pbjEyMyQ=]}] 2019-01-24 04:53:56 DEBUG [ApiV1OrgsIdDeleteAbstractAbac] : Response [{ "timestamp" : "2019-01-24T04:53:57.311+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/orgs/" }] 2019-01-24 04:53:56 DEBUG [ApiV1OrgsIdDeleteAbstractAbac] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzQ3ODE0MjItYjIxYS00MTNhLWI0MjgtMzM2MzIxNzI2ZjQ0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 24 Jan 2019 04:53:56 GMT]}] 2019-01-24 04:53:56 DEBUG [ApiV1OrgsIdDeleteAbstractAbac] : StatusCode [405] 2019-01-24 04:53:56 DEBUG [ApiV1OrgsIdDeleteAbstractAbac] : Time [869] 2019-01-24 04:53:56 DEBUG [ApiV1OrgsIdDeleteAbstractAbac] : Size [159] 2019-01-24 04:53:56 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
--- FX Bot ---