Open sohail1024 opened 5 years ago
Project : TestingBanking1
Template : ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac
Run Id : 8a80803a696c49460169705d7a5d5bf9
Job : Default
Env : Default
Category : RBAC
Tags : [OWASP - OTG-IDENT-001 , FX Top 10 - API Vulnerability, Endpoint_Access_Control]
Severity : Major
Region : US_WEST_2
Result : fail
Status Code : 200
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Tue, 12 Mar 2019 05:26:17 GMT]}
Endpoint : http://54.215.136.217/api/v1/users/enterprise-sign-up
Request :
{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Brekke, Brekke and Brekke",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "tremayne.batz@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "National Design Consultant",
"location" : "GlQfKk1U",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "GlQfKk1U",
"password" : "GlQfKk1U",
"privileges" : [ "GlQfKk1U" ],
"username" : "cynthia.carter",
"version" : ""
}
Response :
{
"requestId" : "None",
"requestTime" : "2019-03-12T05:26:18.104+0000",
"errors" : true,
"messages" : [ {
"type" : "ERROR",
"key" : "",
"value" : "Org name [Brekke, Brekke and Brekke] exists."
} ],
"data" : false,
"totalPages" : 0,
"totalElements" : 0
}
Logs :
2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : URL [http://54.215.136.217/api/v1/users/enterprise-sign-up]
2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Method [POST]
2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Brekke, Brekke and Brekke",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "tremayne.batz@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "National Design Consultant",
"location" : "GlQfKk1U",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "GlQfKk1U",
"password" : "GlQfKk1U",
"privileges" : [ "GlQfKk1U" ],
"username" : "cynthia.carter",
"version" : ""
}]
2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json]}]
2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Response [{
"requestId" : "None",
"requestTime" : "2019-03-12T05:26:18.104+0000",
"errors" : true,
"messages" : [ {
"type" : "ERROR",
"key" : "",
"value" : "Org name [Brekke, Brekke and Brekke] exists."
} ],
"data" : false,
"totalPages" : 0,
"totalElements" : 0
}]
2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Tue, 12 Mar 2019 05:26:17 GMT]}]
2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : StatusCode [200]
2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Time [304]
2019-03-12 05:26:18 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Size [219]
2019-03-12 05:26:18 ERROR [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]
--- FX Bot ---
Project : TestingBanking1
Template : ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac
Run Id : 8a8080f6695ba6ee01695ccd7a5903e1
Job : Default
Env : Default
Category : RBAC
Tags : [OWASP - OTG-IDENT-001 , FX Top 10 - API Vulnerability, Endpoint_Access_Control]
Severity : Major
Region : US_WEST_2
Result : fail
Status Code : 200
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Fri, 08 Mar 2019 10:16:19 GMT]}
Endpoint : http://54.215.136.217/api/v1/users/enterprise-sign-up
Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Muller LLC", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "filomena.feeney@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Dynamic Officer", "location" : "FlQiXKjb", "modifiedBy" : "", "modifiedDate" : "", "name" : "FlQiXKjb", "password" : "FlQiXKjb", "privileges" : [ "FlQiXKjb" ], "username" : "lucious.bartell", "version" : "" }
Response :
{ "requestId" : "None", "requestTime" : "2019-03-08T10:16:19.820+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Org name [Muller LLC] exists." } ], "data" : false, "totalPages" : 0, "totalElements" : 0 }
Logs :
2019-03-08 10:16:19 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : URL [http://54.215.136.217/api/v1/users/enterprise-sign-up] 2019-03-08 10:16:19 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Method [POST] 2019-03-08 10:16:19 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Muller LLC", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "filomena.feeney@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Dynamic Officer", "location" : "FlQiXKjb", "modifiedBy" : "", "modifiedDate" : "", "name" : "FlQiXKjb", "password" : "FlQiXKjb", "privileges" : [ "FlQiXKjb" ], "username" : "lucious.bartell", "version" : "" }] 2019-03-08 10:16:19 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json]}] 2019-03-08 10:16:19 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Response [{ "requestId" : "None", "requestTime" : "2019-03-08T10:16:19.820+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Org name [Muller LLC] exists." } ], "data" : false, "totalPages" : 0, "totalElements" : 0 }] 2019-03-08 10:16:19 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Fri, 08 Mar 2019 10:16:19 GMT]}] 2019-03-08 10:16:19 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : StatusCode [200] 2019-03-08 10:16:19 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Time [253] 2019-03-08 10:16:19 DEBUG [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Size [204] 2019-03-08 10:16:19 ERROR [ApiV1UsersEnterpriseSignUpPostRoleUserDisallowedRbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]
--- FX Bot ---