Vulnerability <a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”> Click here</a> : GET:/example/v1/hotels/{id}

[jaleelsyed]

Project : Vul

Template : <b onmouseover=alert('Wufff!')>ExampleV1HotelsIdGetAuthInvalid

Run Id : 8a80cb8169c81b720169c81fd6e6003e

Job : Default

Env : Default

Category : InvalidAuth

Tags : [OWASP A2, OWASP A5, OWASP A6, OWASP A7, [PCI DSS 3.0] 6.5.8, [PCI DSS 3.0] 6.5.10, OTG-AUTHN-004, FX Top 10 - API Vulnerability, Non-Intrusive]

Severity : Major

Region : local

Result : fail

Status Code : 406

Headers : {X-Application-Context=[application:8090], Content-Type=[application/xml], Content-Length=[0], Date=[Fri, 29 Mar 2019 06:25:27 GMT]}

Endpoint : http://18.144.38.115:8090/example/v1/hotels/473005325

Request :
<a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”> Click here

Response : alert(123) window.alert(123) alert("Hello! I am an alert box!!");

<b onmouseover=alert('Wufff!')>click me! Logs :
com.fxlabs.fxt.bot.assertions.AssertionLogger@5efca692 --- FX Bot ---

<a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”> Click here

[jaleelsyed]

Message : This issue is manually closed from FX control plane.

Project : Vul

Template : ExampleV1HotelsIdGetAuthInvalid

Run Id : 8a80cb8169c81b720169c81fd6e6003e

Job : Default

Env : Default

Category : InvalidAuth

Tags : null

Severity : Major

Region : local

Result : fail

Status Code : 406

Headers : {X-Application-Context=[application:8090], Content-Type=[application/xml], Content-Length=[0], Date=[Fri, 29 Mar 2019 06:25:27 GMT]}

Endpoint : http://18.144.38.115:8090/example/v1/hotels/473005325

Request :

Response :

Logs :
com.fxlabs.fxt.bot.assertions.AssertionLogger@5efca692 --- FX Bot ---