Closed zahedmohammed closed 5 years ago
Project : ticketlake
Job : Default
Env : Default
Category : RBAC
Tags : [OWASP - OTG-IDENT-001 , FX Top 10 - API Vulnerability]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 201
Headers : {Date=[Thu, 17 Jan 2019 10:50:58 GMT], Content-Type=[application/json], Connection=[keep-alive], Access-Control-Allow-Headers=[X-Requested-With,Content-Type,Accept,Origin], Access-Control-Allow-Origin=[], Access-Control-Allow-Methods=[], Access-Control-Allow-Credentials=[true]}
Endpoint : http://virtserver.swaggerhub.com/T6352/Ticket-Lake/1.0.0/user
Request : { "id" : "", "username" : "delaney.satterfield", "firstName" : "Andre", "lastName" : "Herzog", "email" : "aric.price@yahoo.com", "password" : "JMpOvuwl", "phone" : "1-068-816-3583 x6236", "userStatus" : "403305370" }
Response : null
Logs : 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : URL [http://virtserver.swaggerhub.com/T6352/Ticket-Lake/1.0.0/user] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Method [POST] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Request [{ "id" : "", "username" : "delaney.satterfield", "firstName" : "Andre", "lastName" : "Herzog", "email" : "aric.price@yahoo.com", "password" : "JMpOvuwl", "phone" : "1-068-816-3583 x6236", "userStatus" : "403305370" }] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json]}] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Response [null] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Response-Headers [{Date=[Thu, 17 Jan 2019 10:50:58 GMT], Content-Type=[application/json], Connection=[keep-alive], Access-Control-Allow-Headers=[X-Requested-With,Content-Type,Accept,Origin], Access-Control-Allow-Origin=[], Access-Control-Allow-Methods=[], Access-Control-Allow-Credentials=[true]}] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : StatusCode [201] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Time [751] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Size [0] 2019-01-17 10:50:57 ERROR [UserPostRoleAdminDisallowedRbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [201 == 401 OR 201 == 403] result [Failed]
--- FX Bot ---
Project : ticketlake
Job : Default
Env : Default
Category : RBAC
Tags : [OWASP - OTG-IDENT-001 , FX Top 10 - API Vulnerability]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 201
Headers : {Date=[Thu, 17 Jan 2019 10:50:58 GMT], Content-Type=[application/json], Connection=[keep-alive], Access-Control-Allow-Headers=[X-Requested-With,Content-Type,Accept,Origin], Access-Control-Allow-Origin=[], Access-Control-Allow-Methods=[], Access-Control-Allow-Credentials=[true]}
Endpoint : http://virtserver.swaggerhub.com/T6352/Ticket-Lake/1.0.0/user
Request :
{ "id" : "", "username" : "delaney.satterfield", "firstName" : "Andre", "lastName" : "Herzog", "email" : "aric.price@yahoo.com", "password" : "JMpOvuwl", "phone" : "1-068-816-3583 x6236", "userStatus" : "403305370" }
Response :
null
Logs :
2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : URL [http://virtserver.swaggerhub.com/T6352/Ticket-Lake/1.0.0/user] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Method [POST] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Request [{ "id" : "", "username" : "delaney.satterfield", "firstName" : "Andre", "lastName" : "Herzog", "email" : "aric.price@yahoo.com", "password" : "JMpOvuwl", "phone" : "1-068-816-3583 x6236", "userStatus" : "403305370" }] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json]}] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Response [null] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Response-Headers [{Date=[Thu, 17 Jan 2019 10:50:58 GMT], Content-Type=[application/json], Connection=[keep-alive], Access-Control-Allow-Headers=[X-Requested-With,Content-Type,Accept,Origin], Access-Control-Allow-Origin=[], Access-Control-Allow-Methods=[], Access-Control-Allow-Credentials=[true]}] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : StatusCode [201] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Time [751] 2019-01-17 10:50:57 DEBUG [UserPostRoleAdminDisallowedRbac] : Size [0] 2019-01-17 10:50:57 ERROR [UserPostRoleAdminDisallowedRbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [201 == 401 OR 201 == 403] result [Failed]
--- FX Bot ---