Unsecured on POST:/api/v1/users/team-sign-up #98
Description
Title: Unsecured Vulnerability on POST:/api/v1/users/team-sign-up
Project: SanityGitHub0306
Description: The unsecured exploit gives an attacker full access to the vulnerable endpoint without credentials.
Risk: Unsecured
Severity: Major
API Endpoint: http://138.91.64.62:8080/api/v1/users/team-sign-up
Environment: Master
Playbook: ApiV1UsersTeamSignUpPostAnonymousInvalid
Researcher: [apisec Bot]
QUICK TIPS
Suggestion: Make sure the endpoint is secured as part of the authentication framework.
Effort Estimate: 2.0
Wire Logs:
08:44:50 [D] [AVUTSUPAInvalid] : URL [http://138.91.64.62:8080/api/v1/users/team-sign-up]
08:44:50 [D] [AVUTSUPAInvalid] : Method [POST]
08:44:50 [D] [AVUTSUPAInvalid] : Auth []
08:44:50 [D] [AVUTSUPAInvalid] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Mosciski-Mosciski",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "urban.west@yahoo.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Customer Government Assistant",
"location" : "nx3XAIC7",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "nx3XAIC7",
"password" : "ogajij0CWWH*",
"privileges" : [ "nx3XAIC7" ],
"username" : "mallory.kris",
"version" : ""
}]
08:44:50 [D] [AVUTSUPAInvalid] : Request-Headers [{Content-Type=[application/json], Accept=[application/json]}]
08:44:50 [D] [AVUTSUPAInvalid] : Response [{
"requestId" : "None",
"requestTime" : "2020-06-03T08:44:50.383+0000",
"errors" : true,
"messages" : [ {
"type" : "ERROR",
"key" : "",
"value" : "Org name [Brekke LLC] exists."
} ],
"data" : false,
"totalPages" : 0,
"totalElements" : 0
}]
08:44:50 [D] [AVUTSUPAInvalid] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 03 Jun 2020 08:44:50 GMT]}]
08:44:50 [D] [AVUTSUPAInvalid] : StatusCode [200]
08:44:50 [D] [AVUTSUPAInvalid] : Time [547]
08:44:50 [D] [AVUTSUPAInvalid] : Size [204]
08:44:50 [E] [AVUTSUPAInvalid] : Assertion [@statuscode == 401 OR @statuscode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]
IMPORTANT LINKS
Vulnerability Details:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba01727922a45a0593/recommendations/8a8081397278f8ba0172795c08072480/details
Project:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba01727922a45a0593/jobs
Coverage:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba01727922a45a0593/configuration
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---