zahedmohammed / testingApi

0 stars 0 forks source link

test2531 : ApiV1UsersPersonalSignUpPostRoleUserDisallowedRbac #163

Closed zahedmohammed closed 5 years ago

zahedmohammed commented 5 years ago

Project : test2531

Job : Default

Env : Default

Category : RBAC

Tags : [OWASP - OTG-IDENT-001 , FX Top 10 - API Vulnerability, Endpoint_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 400

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Feb 2019 14:21:52 GMT]}

Endpoint : http://54.215.136.217/api/v1/users/personal-sign-up

Request :

Response :
{ "timestamp" : "2019-02-20T14:21:52.157+0000", "status" : 400, "error" : "Bad Request", "message" : "Required request body is missing: public com.fxlabs.issues.dto.base.Response com.fxlabs.issues.rest.users.UsersController.personalSignUp(com.fxlabs.issues.dto.users.Users)", "path" : "/api/v1/users/personal-sign-up" }

Logs :
2019-02-20 02:21:52 DEBUG [ApiV1UsersPersonalSignUpPostRoleUserDisallowedRbac] : URL [http://54.215.136.217/api/v1/users/personal-sign-up] 2019-02-20 02:21:52 DEBUG [ApiV1UsersPersonalSignUpPostRoleUserDisallowedRbac] : Method [POST] 2019-02-20 02:21:52 DEBUG [ApiV1UsersPersonalSignUpPostRoleUserDisallowedRbac] : Request [] 2019-02-20 02:21:52 DEBUG [ApiV1UsersPersonalSignUpPostRoleUserDisallowedRbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json]}] 2019-02-20 02:21:52 DEBUG [ApiV1UsersPersonalSignUpPostRoleUserDisallowedRbac] : Response [{ "timestamp" : "2019-02-20T14:21:52.157+0000", "status" : 400, "error" : "Bad Request", "message" : "Required request body is missing: public com.fxlabs.issues.dto.base.Response com.fxlabs.issues.rest.users.UsersController.personalSignUp(com.fxlabs.issues.dto.users.Users)", "path" : "/api/v1/users/personal-sign-up" }] 2019-02-20 02:21:52 DEBUG [ApiV1UsersPersonalSignUpPostRoleUserDisallowedRbac] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Feb 2019 14:21:52 GMT]}] 2019-02-20 02:21:52 DEBUG [ApiV1UsersPersonalSignUpPostRoleUserDisallowedRbac] : StatusCode [400] 2019-02-20 02:21:52 DEBUG [ApiV1UsersPersonalSignUpPostRoleUserDisallowedRbac] : Time [13] 2019-02-20 02:21:52 DEBUG [ApiV1UsersPersonalSignUpPostRoleUserDisallowedRbac] : Size [322] 2019-02-20 02:21:52 ERROR [ApiV1UsersPersonalSignUpPostRoleUserDisallowedRbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [400 == 401 OR 400 == 403] result [Failed]

--- FX Bot ---

zahedmohammed commented 5 years ago

Message : This issue is manually closed from FX control plane.

Project : test2531

Job : Default

Env : Default

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 400

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Feb 2019 14:21:52 GMT]}

Endpoint : http://54.215.136.217/api/v1/users/personal-sign-up

Request :

Response :
{ "timestamp" : "2019-02-20T14:21:52.157+0000", "status" : 400, "error" : "Bad Request", "message" : "Required request body is missing: public com.fxlabs.issues.dto.base.Response com.fxlabs.issues.rest.users.UsersController.personalSignUp(com.fxlabs.issues.dto.users.Users)", "path" : "/api/v1/users/personal-sign-up" }

Logs :
Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [400 == 401 OR 400 == 403] result [Failed] --- FX Bot ---