search

zahedmohammed / testingApi

0 stars 0 forks source link

ticketlake : PetFindbystatusGetRoleUserDisallowedRbac #1

Closed zahedmohammed closed 5 years ago

zahedmohammed commented 5 years ago

Project : ticketlake

Job : Default

Env : Default

Category : RBAC

Tags : [OWASP - OTG-IDENT-001 , FX Top 10 - API Vulnerability]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {Date=[Thu, 17 Jan 2019 10:50:58 GMT], Content-Type=[application/json], Connection=[keep-alive], Access-Control-Allow-Headers=[X-Requested-With,Content-Type,Accept,Origin], Access-Control-Allow-Origin=[], Access-Control-Allow-Methods=[], Access-Control-Allow-Credentials=[true]}

Endpoint : http://virtserver.swaggerhub.com/T6352/Ticket-Lake/1.0.0/pet/findByStatus?status=1335789843

Request :

Response :
[ { "id" : 0, "category" : { "id" : 0, "name" : "string" }, "name" : "doggie", "photoUrls" : [ "string" ], "tags" : [ { "id" : 0, "name" : "string" } ], "status" : "available" } ]

Logs :
2019-01-17 10:50:57 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : URL [http://virtserver.swaggerhub.com/T6352/Ticket-Lake/1.0.0/pet/findByStatus?status=1335789843] 2019-01-17 10:50:57 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Method [GET] 2019-01-17 10:50:57 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Request [] 2019-01-17 10:50:57 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json]}] 2019-01-17 10:50:57 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Response [[ { "id" : 0, "category" : { "id" : 0, "name" : "string" }, "name" : "doggie", "photoUrls" : [ "string" ], "tags" : [ { "id" : 0, "name" : "string" } ], "status" : "available" } ]] 2019-01-17 10:50:57 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Response-Headers [{Date=[Thu, 17 Jan 2019 10:50:58 GMT], Content-Type=[application/json], Connection=[keep-alive], Access-Control-Allow-Headers=[X-Requested-With,Content-Type,Accept,Origin], Access-Control-Allow-Origin=[], Access-Control-Allow-Methods=[], Access-Control-Allow-Credentials=[true]}] 2019-01-17 10:50:57 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : StatusCode [200] 2019-01-17 10:50:57 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Time [1121] 2019-01-17 10:50:57 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Size [211] 2019-01-17 10:50:57 ERROR [PetFindbystatusGetRoleUserDisallowedRbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]

--- FX Bot ---

zahedmohammed commented 5 years ago

Project : ticketlake

Job : Default

Env : Default

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {Date=[Mon, 21 Jan 2019 06:07:02 GMT], Content-Type=[application/json], Connection=[keep-alive], Access-Control-Allow-Headers=[X-Requested-With,Content-Type,Accept,Origin], Access-Control-Allow-Origin=[], Access-Control-Allow-Methods=[], Access-Control-Allow-Credentials=[true]}

Endpoint : http://virtserver.swaggerhub.com/T6352/Ticket-Lake/1.0.0/pet/findByStatus?status=598011861

Request :

Response :
[ { "id" : 0, "category" : { "id" : 0, "name" : "string" }, "name" : "doggie", "photoUrls" : [ "string" ], "tags" : [ { "id" : 0, "name" : "string" } ], "status" : "available" } ]

Logs :
2019-01-21 06:07:01 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : URL [http://virtserver.swaggerhub.com/T6352/Ticket-Lake/1.0.0/pet/findByStatus?status=598011861] 2019-01-21 06:07:01 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Method [GET] 2019-01-21 06:07:01 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Request [] 2019-01-21 06:07:01 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json]}] 2019-01-21 06:07:01 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Response [[ { "id" : 0, "category" : { "id" : 0, "name" : "string" }, "name" : "doggie", "photoUrls" : [ "string" ], "tags" : [ { "id" : 0, "name" : "string" } ], "status" : "available" } ]] 2019-01-21 06:07:01 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Response-Headers [{Date=[Mon, 21 Jan 2019 06:07:02 GMT], Content-Type=[application/json], Connection=[keep-alive], Access-Control-Allow-Headers=[X-Requested-With,Content-Type,Accept,Origin], Access-Control-Allow-Origin=[], Access-Control-Allow-Methods=[], Access-Control-Allow-Credentials=[true]}] 2019-01-21 06:07:01 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : StatusCode [200] 2019-01-21 06:07:01 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Time [521] 2019-01-21 06:07:01 DEBUG [PetFindbystatusGetRoleUserDisallowedRbac] : Size [211] 2019-01-21 06:07:01 ERROR [PetFindbystatusGetRoleUserDisallowedRbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]

--- FX Bot ---