Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Cases

    • Target 1: bring down OKAPI

      • Scenario 1a: just throwing a lot of requests to Okapi from the public net
        • on the https/http ports which are proxied
      • Scenario 1b: throwing a lot of requests to Okapi directly to port 9130
      • Scenario 2a: Buffer overflow OKAPI with huge header informations (proxied)
      • Scenario 2b: Buffer overflow OKAPI with huge header informations (direct connection)
      • others to be find
    • Target 2:  to bring down modules

      • possible target without okapi session: mod-login
        • Scenario 1: throwing a lot of requests to the module
        • Scenario 2: Buffer overflow module with huge pay loads
      • all other modules that needs a valid token with the matching permissions
        • Scenario 1: throwing a lot of requests to the module
        • Scenario 2: Buffer overflow module with huge pay loads
      • others to be find
    • Target 3: URL-Scripting (abusing by using get parameters)

      • Do requests as a logged in users and resend request without token


Scripts and Tools

https://schemathesis.readthedocs.io/en/stable/