Unsecured on DELETE:/example/v1/hotels/{id}

[jaleelsyed]

Title : Unsecured Vulnerability on DELETE:/example/v1/hotels/{id}

Project : syncAll

Description : The unsecured exploit gives an attacker full access to the vulnerable endpoint without credentials.

Risk : Unsecured

Severity : Major

API Endpoint : http://18.144.38.115:8090/example/v1/hotels/211836305

Environment : Master

Playbook : ExampleV1HotelsIdDeleteAnonymousInvalid

Researcher : [APISec Bot] Quick Tips :

Suggestion : Make sure the endpoint is secured as part of the authentication framework.

Effort Estimate : 2.0

Wire logs :

2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : URL [http://18.144.38.115:8090/example/v1/hotels/211836305] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Method [DELETE] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Auth [] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Request [] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Request-Headers [{Content-Type=[application/json], Accept=[application/xml, application/json]}] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Response [I/O error on DELETE request for "http://18.144.38.115:8090/example/v1/hotels/211836305": Connect to 18.144.38.115:8090 [/18.144.38.115] failed: connect timed out; nested exception is org.apache.http.conn.ConnectTimeoutException: Connect to 18.144.38.115:8090 [/18.144.38.115] failed: connect timed out] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Response-Headers [{}] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : StatusCode [500] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Time [15058] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Size [301] 2019-09-04 00:01:41 ERROR [ExampleV1HotelsIdDeleteAnonymousInvalid] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [500 == 401 OR 500 == 403] result [Failed]

Important Links :
Vulnerability Details : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/recommendations/8a80cb816cfb200d016cfc26e0f901f1/details

Project : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/jobs

Environment : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/environments/null/edit

Scan Dashboard : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/jobs/8a80cb816ce1de16016ce27355b30030/runs/8a80cb816cfb200d016cfc26886201ec

Playbook : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/template/ExampleV1HotelsIdDeleteAnonymousInvalid

Coverage : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/configuration

Code Sample : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/recommendations/8a80cb816cfb200d016cfc26e0f901f1/codesamples

PS: : Please contact admin@fxlabs.local For APISec access and login issues.

--- APISec Bot ---

[jaleelsyed]

Message : This issue is manually closed from FX control plane.

Title : Unsecured Vulnerability on DELETE:/example/v1/hotels/{id}

Project : syncAll

Description : null

Risk : Unsecured

Severity : Major

API Endpoint : http://18.144.38.115:8090/example/v1/hotels/211836305

Environment : Master

Playbook : ExampleV1HotelsIdDeleteAnonymousInvalid

Researcher :
Quick Tips :

Suggestion : null

Effort Estimate : null

Wire logs :

2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : URL [http://18.144.38.115:8090/example/v1/hotels/211836305] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Method [DELETE] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Auth [] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Request [] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Request-Headers [{Content-Type=[application/json], Accept=[application/xml, application/json]}] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Response [I/O error on DELETE request for "http://18.144.38.115:8090/example/v1/hotels/211836305": Connect to 18.144.38.115:8090 [/18.144.38.115] failed: connect timed out; nested exception is org.apache.http.conn.ConnectTimeoutException: Connect to 18.144.38.115:8090 [/18.144.38.115] failed: connect timed out] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Response-Headers [{}] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : StatusCode [500] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Time [15058] 2019-09-04 00:01:41 DEBUG [ExampleV1HotelsIdDeleteAnonymousInvalid] : Size [301] 2019-09-04 00:01:41 ERROR [ExampleV1HotelsIdDeleteAnonymousInvalid] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [500 == 401 OR 500 == 403] result [Failed]

Important Links :
Vulnerability Details : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/recommendations/null/details

Project : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/jobs

Environment : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/environments/null/edit

Scan Dashboard : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/jobs/8a80cb816ce1de16016ce27355b30030/runs/8a80cb816cfb200d016cfc26886201ec

Playbook : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/template/ExampleV1HotelsIdDeleteAnonymousInvalid

Coverage : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/configuration

Code Sample : https://localhost:8080/#/app/projects/8a80cb816ce1de16016ce27343700000/recommendations/null/codesamples

PS: : Please contact null For APISec access and login issues.

--- APISec Bot ---