search

sohail1024 / testing1

0 stars 0 forks source link

Vulnerability [RBAC] : POST:/api/v1/users/enterprise-sign-up #117

Open sohail1024 opened 5 years ago

sohail1024 commented 5 years ago

Project : TestingBanking1

Template : ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac

Run Id : 8a8080f6695ba6ee01695ccd7a5903e1

Job : Default

Env : Default

Category : RBAC

Tags : [OWASP - OTG-IDENT-001 , FX Top 10 - API Vulnerability, Endpoint_Access_Control]

Severity : Major

Region : US_WEST_2

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Fri, 08 Mar 2019 10:16:17 GMT]}

Endpoint : http://54.215.136.217/api/v1/users/enterprise-sign-up

Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "West Inc", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "branson.emmerich@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Investor Technology Strategist", "location" : "Yf9a6iAd", "modifiedBy" : "", "modifiedDate" : "", "name" : "Yf9a6iAd", "password" : "Yf9a6iAd", "privileges" : [ "Yf9a6iAd" ], "username" : "tabitha.gaylord", "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-08T10:16:17.365+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Org name [West Inc] exists." } ], "data" : false, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-08 10:16:17 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : URL [http://54.215.136.217/api/v1/users/enterprise-sign-up] 2019-03-08 10:16:17 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Method [POST] 2019-03-08 10:16:17 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "West Inc", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "branson.emmerich@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Investor Technology Strategist", "location" : "Yf9a6iAd", "modifiedBy" : "", "modifiedDate" : "", "name" : "Yf9a6iAd", "password" : "Yf9a6iAd", "privileges" : [ "Yf9a6iAd" ], "username" : "tabitha.gaylord", "version" : "" }] 2019-03-08 10:16:17 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json]}] 2019-03-08 10:16:17 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Response [{ "requestId" : "None", "requestTime" : "2019-03-08T10:16:17.365+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Org name [West Inc] exists." } ], "data" : false, "totalPages" : 0, "totalElements" : 0 }] 2019-03-08 10:16:17 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Fri, 08 Mar 2019 10:16:17 GMT]}] 2019-03-08 10:16:17 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : StatusCode [200] 2019-03-08 10:16:17 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Time [307] 2019-03-08 10:16:17 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Size [202] 2019-03-08 10:16:17 ERROR [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]

--- FX Bot ---

sohail1024 commented 5 years ago

Project : TestingBanking1

Template : ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac

Run Id : 8a80803a696c49460169705d7a5d5bf9

Job : Default

Env : Default

Category : RBAC

Tags : [OWASP - OTG-IDENT-001 , FX Top 10 - API Vulnerability, Endpoint_Access_Control]

Severity : Major

Region : US_WEST_2

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Tue, 12 Mar 2019 05:26:17 GMT]}

Endpoint : http://54.215.136.217/api/v1/users/enterprise-sign-up

Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Jacobs, Jacobs and Jacobs", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "carmel.lubowitz@hotmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Hospitality Designer", "location" : "JWDJfteq", "modifiedBy" : "", "modifiedDate" : "", "name" : "JWDJfteq", "password" : "JWDJfteq", "privileges" : [ "JWDJfteq" ], "username" : "zoie.mayert", "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-12T05:26:18.069+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Org name [Jacobs, Jacobs and Jacobs] exists." } ], "data" : false, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : URL [http://54.215.136.217/api/v1/users/enterprise-sign-up] 2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Method [POST] 2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Jacobs, Jacobs and Jacobs", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "carmel.lubowitz@hotmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Hospitality Designer", "location" : "JWDJfteq", "modifiedBy" : "", "modifiedDate" : "", "name" : "JWDJfteq", "password" : "JWDJfteq", "privileges" : [ "JWDJfteq" ], "username" : "zoie.mayert", "version" : "" }] 2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json]}] 2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Response [{ "requestId" : "None", "requestTime" : "2019-03-12T05:26:18.069+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Org name [Jacobs, Jacobs and Jacobs] exists." } ], "data" : false, "totalPages" : 0, "totalElements" : 0 }] 2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Tue, 12 Mar 2019 05:26:17 GMT]}] 2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : StatusCode [200] 2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Time [324] 2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Size [219] 2019-03-12 05:26:18 ERROR [ApiV1UsersEnterpriseSignUpPostRolePmDisallowedRbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]

--- FX Bot ---