bizpay : ChargesRefundIdAmountAmountPutUsercDisallowAbac

[zahedmohammed]

Project : bizpay

Job : Default

Env : Default

Category : ABAC_Level1

Tags : [FX Top 10 - API Vulnerability]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 301

Headers : {Server=[nginx], Date=[Mon, 21 Jan 2019 06:16:31 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/refund/?amount=]}

Endpoint : http://api.bizpay.co.uk/v1.25/charges/refund/?amount=

Request :
{ "id" : "", "gateway" : "worldpay", "label" : "v2xlHbso", "default" : false, "show" : false }

Response :

301 Moved Permanently

---

nginx

Logs :
2019-01-21 06:16:29 DEBUG [null] : URL [http://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=LJLzeKlb] 2019-01-21 06:16:29 DEBUG [null] : Method [POST] 2019-01-21 06:16:29 DEBUG [null] : Request [{ "id" : "", "gateway" : "worldpay", "label" : "B3vnxlpu", "default" : false, "show" : false }] 2019-01-21 06:16:29 DEBUG [null] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckFAYml6cGF5LmNvLnVrOnVzZXJB]}] 2019-01-21 06:16:29 DEBUG [null] : Response [

301 Moved Permanently

---

nginx

] 2019-01-21 06:16:29 DEBUG [null] : Response-Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 06:16:30 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=LJLzeKlb]}] 2019-01-21 06:16:29 DEBUG [null] : StatusCode [301] 2019-01-21 06:16:29 DEBUG [null] : Time [587] 2019-01-21 06:16:29 DEBUG [null] : Size [178] 2019-01-21 06:16:29 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [301 == 200 OR 301 == 201] result [Failed] 2019-01-21 06:16:29 DEBUG [PostChargeMethodCreateUserAInitAbac_Headers] : Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 06:16:30 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=LJLzeKlb]}] 2019-01-21 06:16:29 DEBUG [PostChargeMethodCreateUserAInitAbac_Headers] : Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 06:16:30 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=LJLzeKlb]}] 2019-01-21 06:16:29 DEBUG [PostChargeMethodCreateUserAInitAbac_Headers[2]] : Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 06:16:30 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=LJLzeKlb]}] 2019-01-21 06:16:29 DEBUG [PostChargeMethodCreateUserAInitAbac_Headers[2]] : Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 06:16:30 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=LJLzeKlb]}] 2019-01-21 06:16:29 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : URL [http://api.bizpay.co.uk/v1.25/charges/refund/?amount=] 2019-01-21 06:16:29 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Method [PUT] 2019-01-21 06:16:29 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Request [{ "id" : "", "gateway" : "worldpay", "label" : "v2xlHbso", "default" : false, "show" : false }] 2019-01-21 06:16:29 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckNAYml6cGF5LmNvLnVrOnVzZXJD]}] 2019-01-21 06:16:29 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Response [

301 Moved Permanently

---

nginx

] 2019-01-21 06:16:29 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Response-Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 06:16:31 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/refund/?amount=]}] 2019-01-21 06:16:29 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : StatusCode [301] 2019-01-21 06:16:29 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Time [650] 2019-01-21 06:16:29 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Size [178] 2019-01-21 06:16:29 ERROR [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403 OR @Response.errors == true] resolved-to [301 == 401 OR 301 == 403 OR == true] result [Failed] 2019-01-21 06:16:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : URL [http://api.bizpay.co.uk/v1.25/charges/methods/] 2019-01-21 06:16:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Method [DELETE] 2019-01-21 06:16:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Request [null] 2019-01-21 06:16:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckFAYml6cGF5LmNvLnVrOnVzZXJB]}] 2019-01-21 06:16:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Response [

301 Moved Permanently

---

nginx

] 2019-01-21 06:16:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Response-Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 06:16:31 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/]}] 2019-01-21 06:16:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : StatusCode [301] 2019-01-21 06:16:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Time [613] 2019-01-21 06:16:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Size [178] 2019-01-21 06:16:30 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [301 == 200] result [Failed]

--- FX Bot ---

[zahedmohammed]

Project : bizpay

Job : Default

Env : Default

Region : Test19

Result : fail

Status Code : 301

Headers : {Server=[nginx], Date=[Mon, 21 Jan 2019 10:38:30 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/refund/?amount=]}

Endpoint : http://api.bizpay.co.uk/v1.25/charges/refund/?amount=

Request :
{ "id" : "", "gateway" : "worldpay", "label" : "p5yEolEf", "default" : false, "show" : false }

Response :

301 Moved Permanently

---

nginx

Logs :
2019-01-21 10:38:29 DEBUG [null] : URL [http://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=DXaQEFMj] 2019-01-21 10:38:29 DEBUG [null] : Method [POST] 2019-01-21 10:38:29 DEBUG [null] : Request [{ "id" : "", "gateway" : "worldpay", "label" : "bt4tZYIG", "default" : false, "show" : false }] 2019-01-21 10:38:29 DEBUG [null] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckFAYml6cGF5LmNvLnVrOnVzZXJB]}] 2019-01-21 10:38:29 DEBUG [null] : Response [

301 Moved Permanently

---

nginx

] 2019-01-21 10:38:29 DEBUG [null] : Response-Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 10:38:29 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=DXaQEFMj]}] 2019-01-21 10:38:29 DEBUG [null] : StatusCode [301] 2019-01-21 10:38:29 DEBUG [null] : Time [314] 2019-01-21 10:38:29 DEBUG [null] : Size [178] 2019-01-21 10:38:29 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [301 == 200 OR 301 == 201] result [Failed] 2019-01-21 10:38:29 DEBUG [PostChargeMethodCreateUserAInitAbac_Headers] : Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 10:38:29 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=DXaQEFMj]}] 2019-01-21 10:38:29 DEBUG [PostChargeMethodCreateUserAInitAbac_Headers] : Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 10:38:29 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=DXaQEFMj]}] 2019-01-21 10:38:29 DEBUG [PostChargeMethodCreateUserAInitAbac_Headers[2]] : Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 10:38:29 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=DXaQEFMj]}] 2019-01-21 10:38:29 DEBUG [PostChargeMethodCreateUserAInitAbac_Headers[2]] : Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 10:38:29 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=DXaQEFMj]}] 2019-01-21 10:38:30 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : URL [http://api.bizpay.co.uk/v1.25/charges/refund/?amount=] 2019-01-21 10:38:30 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Method [PUT] 2019-01-21 10:38:30 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Request [{ "id" : "", "gateway" : "worldpay", "label" : "p5yEolEf", "default" : false, "show" : false }] 2019-01-21 10:38:30 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckNAYml6cGF5LmNvLnVrOnVzZXJD]}] 2019-01-21 10:38:30 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Response [

301 Moved Permanently

---

nginx

] 2019-01-21 10:38:30 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Response-Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 10:38:30 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/refund/?amount=]}] 2019-01-21 10:38:30 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : StatusCode [301] 2019-01-21 10:38:30 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Time [313] 2019-01-21 10:38:30 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Size [178] 2019-01-21 10:38:30 ERROR [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403 OR @Response.errors == true] resolved-to [301 == 401 OR 301 == 403 OR == true] result [Failed] 2019-01-21 10:38:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : URL [http://api.bizpay.co.uk/v1.25/charges/methods/] 2019-01-21 10:38:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Method [DELETE] 2019-01-21 10:38:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Request [null] 2019-01-21 10:38:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckFAYml6cGF5LmNvLnVrOnVzZXJB]}] 2019-01-21 10:38:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Response [

301 Moved Permanently

---

nginx

] 2019-01-21 10:38:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Response-Headers [{Server=[nginx], Date=[Mon, 21 Jan 2019 10:38:30 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/]}] 2019-01-21 10:38:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : StatusCode [301] 2019-01-21 10:38:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Time [302] 2019-01-21 10:38:30 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Size [178] 2019-01-21 10:38:30 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [301 == 200] result [Failed]

--- FX Bot ---

[zahedmohammed]

Project : bizpay

Job : Default

Env : Default

Region : Test19

Result : fail

Status Code : 301

Headers : {Server=[nginx], Date=[Mon, 21 Jan 2019 11:15:52 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/refund/?amount=]}

Endpoint : http://api.bizpay.co.uk/v1.25/charges/refund/?amount=

Request :
{ "id" : "", "gateway" : "worldpay", "label" : "KO3L7BoW", "default" : false, "show" : false }

Response :

301 Moved Permanently

---

nginx

Logs :
Assertion [@StatusCode == 401 OR @StatusCode == 403 OR @Response.errors == true] resolved-to [301 == 401 OR 301 == 403 OR == true] result [Failed] --- FX Bot ---

[zahedmohammed]

Project : bizpay

Job : Default

Env : Default

Region : Test19

Result : fail

Status Code : 301

Headers : {Server=[nginx], Date=[Fri, 25 Jan 2019 12:03:51 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/refund/?amount=]}

Endpoint : http://api.bizpay.co.uk/v1.25/charges/refund/?amount=

Request :
{ "id" : "", "gateway" : "worldpay", "label" : "zJaPMQa8", "default" : false, "show" : false }

Response :

301 Moved Permanently

---

nginx

Logs :
2019-01-25 00:03:51 DEBUG [PostChargeMethodCreateUserAInitAbac] : URL [http://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=fpBuRYVZ] 2019-01-25 00:03:51 DEBUG [PostChargeMethodCreateUserAInitAbac] : Method [POST] 2019-01-25 00:03:51 DEBUG [PostChargeMethodCreateUserAInitAbac] : Request [{ "id" : "", "gateway" : "worldpay", "label" : "YaYB3UoN", "default" : false, "show" : false }] 2019-01-25 00:03:51 DEBUG [PostChargeMethodCreateUserAInitAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckFAYml6cGF5LmNvLnVrOnVzZXJB]}] 2019-01-25 00:03:51 DEBUG [PostChargeMethodCreateUserAInitAbac] : Response [

301 Moved Permanently

---

nginx

] 2019-01-25 00:03:51 DEBUG [PostChargeMethodCreateUserAInitAbac] : Response-Headers [{Server=[nginx], Date=[Fri, 25 Jan 2019 12:03:50 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=fpBuRYVZ]}] 2019-01-25 00:03:51 DEBUG [PostChargeMethodCreateUserAInitAbac] : StatusCode [301] 2019-01-25 00:03:51 DEBUG [PostChargeMethodCreateUserAInitAbac] : Time [318] 2019-01-25 00:03:51 DEBUG [PostChargeMethodCreateUserAInitAbac] : Size [178] 2019-01-25 00:03:51 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [301 == 200 OR 301 == 201] result [Failed] 2019-01-25 00:03:51 DEBUG [PostChargeMethodCreateUserAInitAbac_Headers] : Headers [{Server=[nginx], Date=[Fri, 25 Jan 2019 12:03:50 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=fpBuRYVZ]}] 2019-01-25 00:03:51 DEBUG [PostChargeMethodCreateUserAInitAbac_Headers] : Headers [{Server=[nginx], Date=[Fri, 25 Jan 2019 12:03:50 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=fpBuRYVZ]}] 2019-01-25 00:03:51 DEBUG [PostChargeMethodCreateUserAInitAbac_Headers[2]] : Headers [{Server=[nginx], Date=[Fri, 25 Jan 2019 12:03:50 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=fpBuRYVZ]}] 2019-01-25 00:03:51 DEBUG [PostChargeMethodCreateUserAInitAbac_Headers[2]] : Headers [{Server=[nginx], Date=[Fri, 25 Jan 2019 12:03:50 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/?customer_id=fpBuRYVZ]}] 2019-01-25 00:03:51 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : URL [http://api.bizpay.co.uk/v1.25/charges/refund/?amount=] 2019-01-25 00:03:51 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Method [PUT] 2019-01-25 00:03:51 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Request [{ "id" : "", "gateway" : "worldpay", "label" : "zJaPMQa8", "default" : false, "show" : false }] 2019-01-25 00:03:51 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckNAYml6cGF5LmNvLnVrOnVzZXJD]}] 2019-01-25 00:03:51 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Response [

301 Moved Permanently

---

nginx

] 2019-01-25 00:03:51 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Response-Headers [{Server=[nginx], Date=[Fri, 25 Jan 2019 12:03:51 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/refund/?amount=]}] 2019-01-25 00:03:51 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : StatusCode [301] 2019-01-25 00:03:51 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Time [324] 2019-01-25 00:03:51 DEBUG [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Size [178] 2019-01-25 00:03:51 ERROR [ChargesRefundIdAmountAmountPutUsercDisallowAbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403 OR @Response.errors == true] resolved-to [301 == 401 OR 301 == 403 OR == true] result [Failed] 2019-01-25 00:03:52 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : URL [http://api.bizpay.co.uk/v1.25/charges/methods/] 2019-01-25 00:03:52 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Method [DELETE] 2019-01-25 00:03:52 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Request [null] 2019-01-25 00:03:52 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckFAYml6cGF5LmNvLnVrOnVzZXJB]}] 2019-01-25 00:03:52 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Response [

301 Moved Permanently

---

nginx

] 2019-01-25 00:03:52 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Response-Headers [{Server=[nginx], Date=[Fri, 25 Jan 2019 12:03:51 GMT], Content-Type=[text/html], Content-Length=[178], Connection=[keep-alive], Location=[https://api.bizpay.co.uk/v1.25/charges/methods/]}] 2019-01-25 00:03:52 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : StatusCode [301] 2019-01-25 00:03:52 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Time [306] 2019-01-25 00:03:52 DEBUG [ChargesMethodsIdDeleteAbstractAbac] : Size [178] 2019-01-25 00:03:52 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [301 == 200] result [Failed]

--- FX Bot ---