{"type":"doc","content":[{"type":"heading","attrs":{"level":2},"content":[{"text":"Cases","type":"text"}]},{"type":"extension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"legacy-content","text":"Target 1: bring down OKAPI Scenario 1a: just throwing a lot of requests to Okapi from the public net on the https/http ports which are proxied Scenario 1b: throwing a lot of requests to Okapi directly to port 9130 Scenario 2a: Buffer overflow OKAPI with huge header informations (proxied) Scenario 2b: Buffer overflow OKAPI with huge header informations (direct connection) others to be find Target 2: to bring down modules possible target without okapi session: mod-login Scenario 1: throwing a lot of requests to the module Scenario 2: Buffer overflow module with huge pay loads all other modules that needs a valid token with the matching permissions Scenario 1: throwing a lot of requests to the module Scenario 2: Buffer overflow module with huge pay loads others to be find Target 3: URL-Scripting (abusing by using get parameters) Do requests as a logged in users and resend request without token","parameters":{"cxhtml":"

- Target 1: bring down OKAPI
  - Scenario 1a: just throwing a lot of requests to Okapi from the public net
    - on the https/http ports which are proxied
  - Scenario 1b: throwing a lot of requests to Okapi directly to port 9130
  - Scenario 2a: Buffer overflow OKAPI with huge header informations (proxied)
  - Scenario 2b: Buffer overflow OKAPI with huge header informations (direct connection)
  - others to be find
- Target 2: to bring down modules
  - possible target without okapi session: mod-login
    - Scenario 1: throwing a lot of requests to the module
    - Scenario 2: Buffer overflow module with huge pay loads
  - all other modules that needs a valid token with the matching permissions
    - Scenario 1: throwing a lot of requests to the module
    - Scenario 2: Buffer overflow module with huge pay loads
  - others to be find
- Target 3: URL-Scripting (abusing by using get parameters)
  - Do requests as a logged in users and resend request without token

","nestedContent":{"type":"doc","content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Target 1: bring down OKAPI","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Scenario 1a: just throwing a lot of requests to Okapi from the public net","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"on the https/http ports which are proxied","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Scenario 1b: throwing a lot of requests to Okapi directly to port 9130","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Scenario 2a: Buffer overflow OKAPI with huge header informations (proxied)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Scenario 2b: Buffer overflow OKAPI with huge header informations (direct connection)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"others to be find","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Target 2: to bring down modules","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"possible target without okapi session: mod-login","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Scenario 1: throwing a lot of requests to the module","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Scenario 2: Buffer overflow module with huge pay loads","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"all other modules that needs a valid token with the matching permissions","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Scenario 1: throwing a lot of requests to the module","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Scenario 2: Buffer overflow module with huge pay loads","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"others to be find","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Target 3: URL-Scripting (abusing by using get parameters)","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Do requests as a logged in users and resend request without token","type":"text"}]}]}]}]}]}]}]}],"version":1},"reason":"multi-level-list-indentation"}}},{"type":"paragraph"},{"type":"heading","attrs":{"level":2},"content":[{"text":"Scripts and Tools","type":"text"}]},{"type":"paragraph","content":[{"text":"https://schemathesis.readthedocs.io/en/stable/","type":"text","marks":[{"type":"link","attrs":{"href":"https://schemathesis.readthedocs.io/en/stable/"}}]}]}],"version":1}

Test cases & and Test-Scripts/Tools

Cases

Scripts and Tools