mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-24 08:57:03 -05:00
add a sql injection threat
This commit is contained in:
parent
bad8e04c3c
commit
9633a2005a
1 changed files with 3 additions and 1 deletions
|
@ -70,10 +70,12 @@ flowchart TD
|
|||
### Actors
|
||||
|
||||
1. **Script Kiddies**: Boored teens, willing to do some illigal without deep knowlege of tech details but broad knowlege across internet discussions. Able to do some bash / python scripting.
|
||||
2. **Experienced Hacker**: Hacker with deep knowlege.
|
||||
|
||||
### Threat
|
||||
|
||||
1. Script Kiddi sends a Star Activity containing an attack target url `http://attacked.target/very/special/path` in place of actor. Our repository server sends an `get Person Actor` request to this url. The attacked target gets DenialdOffServices. We loose CPU & reputation.
|
||||
1. Script Kiddi sends a Star Activity containing an attack actor url `http://attacked.target/very/special/path` in place of actor. Our repository server sends an `get Person Actor` request to this url. The attacked target gets DenialdOffServices. We loose CPU & reputation.
|
||||
2. Experienced hacker sends a Star Activity containing an actor url pointing to an evil forgejo instance. Our repository server sends an `get Person Actor` request to this instance and get a person having sth. like `; drop database;` in its name. If our server tries to create a new user out of this persion, the db might be droped.
|
||||
|
||||
### DREAD-Score
|
||||
|
||||
|
|
Loading…
Reference in a new issue