Unsecured on PUT:/api/v1/primary-transaction

[asriz7777]

Title: Unsecured Vulnerability on PUT:/api/v1/primary-transaction
Project: SanityFX3JUN
Description: The unsecured exploit gives an attacker full access to the vulnerable endpoint without credentials.
Risk: Unsecured
Severity: Major
API Endpoint: http://138.91.64.62:8080/api/v1/primary-transaction
Environment: Master_copy
Playbook: ApiV1PrimaryTransactionPutAnonymousInvalid
Researcher: [apisec Bot]

QUICK TIPS

Suggestion: Make sure the endpoint is secured as part of the authentication framework.
Effort Estimate: 2.0
Wire Logs:
10:12:26 [D] [AVPTPAInvalid] : URL [http://138.91.64.62:8080/api/v1/primary-transaction]
10:12:26 [D] [AVPTPAInvalid] : Method [PUT]
10:12:26 [D] [AVPTPAInvalid] : Auth []
10:12:26 [D] [AVPTPAInvalid] : Request [{
"amount" : "6495",
"availableBalance" : "1690938913",
"createdBy" : "",
"createdDate" : "",
"description" : "LYp4HYw4",
"id" : "",
"inactive" : false,
"modifiedBy" : "",
"modifiedDate" : "",
"status" : "LYp4HYw4",
"type" : "LYp4HYw4",
"user" : {
"createdBy" : "",
"createdDate" : "",
"id" : "",
"inactive" : false,
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "LYp4HYw4",
"version" : ""
},
"version" : ""
}]
10:12:26 [D] [AVPTPAInvalid] : Request-Headers [{Content-Type=[application/json], Accept=[application/json]}]
10:12:26 [D] [AVPTPAInvalid] : Response [{
"requestId" : "None",
"requestTime" : "2020-06-03T10:12:26.834+0000",
"errors" : true,
"messages" : [ {
"type" : "ERROR",
"key" : "",
"value" : null
} ],
"data" : null,
"totalPages" : 0,
"totalElements" : 0
}]
10:12:26 [D] [AVPTPAInvalid] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 03 Jun 2020 10:12:26 GMT]}]
10:12:26 [D] [AVPTPAInvalid] : StatusCode [200]
10:12:26 [D] [AVPTPAInvalid] : Time [291]
10:12:26 [D] [AVPTPAInvalid] : Size [176]
10:12:26 [E] [AVPTPAInvalid] : Assertion [@statuscode == 401 OR @statuscode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]

IMPORTANT LINKS

Vulnerability Details:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba0172794cc22c1e71/recommendations/8a8081397278f8ba017279b3163b3c60/details

Project:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba0172794cc22c1e71/jobs

Environment:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba0172794cc22c1e71/environments/8a8081397278f8ba01727973d14328c7/edit

Scan Dashboard:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba0172794cc22c1e71/jobs/8a8081397278f8ba01727973d15e28c9/runs/8a8081397278f8ba017279aae49839b7

Playbook:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba0172794cc22c1e71/template/ApiV1PrimaryTransactionPutAnonymousInvalid

Coverage:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba0172794cc22c1e71/configuration

Code Sample:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba0172794cc22c1e71/recommendations/8a8081397278f8ba017279b3163b3c60/codesamples

PS: Please contact support@apisec.ai for apisec access and login issues.

--- apisec Bot ---