Test cases & and Test-Scripts/Tools

Owned by Axel Dörrer

Last updated: Jan 19, 2023

1 min read

Cases

- Target 1: bring down OKAPI
  - Scenario 1a: just throwing a lot of requests to Okapi from the public net
    - on the https/http ports which are proxied
  - Scenario 1b: throwing a lot of requests to Okapi directly to port 9130
  - Scenario 2a: Buffer overflow OKAPI with huge header informations (proxied)
  - Scenario 2b: Buffer overflow OKAPI with huge header informations (direct connection)
  - others to be find
- Target 2: to bring down modules
  - possible target without okapi session: mod-login
    - Scenario 1: throwing a lot of requests to the module
    - Scenario 2: Buffer overflow module with huge pay loads
  - all other modules that needs a valid token with the matching permissions
    - Scenario 1: throwing a lot of requests to the module
    - Scenario 2: Buffer overflow module with huge pay loads
  - others to be find
- Target 3: URL-Scripting (abusing by using get parameters)
  - Do requests as a logged in users and resend request without token

Scripts and Tools

https://schemathesis.readthedocs.io/en/stable/