| Name | Category | Info |
|---|---|---|
| Amazon Chime Sep22 | Voice/Video/Media | Amazon Chime is a messaging platform that is used for online meetings, chats and calls. |
| Name | Category | Tags | Info |
|---|---|---|---|
| Amazon Chime Sep22 | Voice/Video/Media | Cloud HTTP/2 |
Simulates the use of the Amazon Chime website as of September 2022. The user opens the website, logs in, creates a chat room, sends a message, starts a meeting and logs out. |
| Amazon Chime Sep22 Video Call | Voice/Video/Media | Cloud HTTP/2 |
Simulates the use of the Amazon Chime website as of September 2022. The user opens the website, logs in, starts a meeting and logs out. |
| Amazon Chime Sep22 Chat | Voice/Video/Media | Cloud HTTP/2 |
Simulates the use of the Amazon Chime website as of September 2022. The user opens the website, logs in, sends a message, logs out. |
| HBOMax Dec 20 - HTTP/2 | Voice/Video/Media | HTTP/2 | Simulates the use of the HBOMax website as of December 2020 over HTTP/2. The user opens the website, logs in, selects viewer profile, searches for movie, selects a movie, plays the movie, pauses the movie, resumes the movie and logs out. |
| HBOMax Dec 20 Browse Movies - HTTP/2 | Voice/Video/Media | HTTP/2 | Simulates the use of the HBOMax website as of December 2020 over HTTP/2. The user opens the website, logs in, selects viewer profile, searches for movie and logs out. |
| HBOMax Dec 20 Play Movie - HTTP/2 | Voice/Video/Media | HTTP/2 | Simulates the use of the HBOMax website as of December 2020 over HTTP/2. The user logs in into the website, selects viewer profile, selects a movie and plays the movie. |
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 7.5 | E22-ed4g1 | CVE-2022-24112CVSSCVSSv3CWE-290URL | Exploits | This strike exploits an authentication weakness vulnerability in Apache APISIX. The vulnerability is due to inefficient validation of client requests at the vulnerable API endpoint "/apisix/admin/batch-requests". A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the vulnerable server if the batch-requests plugin is enabled and it is using the default API key of the administrator. Successful exploitation could lead to arbitrary code execution under the security context of the server process. *NOTE: While running this strike in OneArm mode, it creates a new endpoint/route "/poc/testing" which is visited to execute a command to create a file called "poc" under the "/tmp" directory on the server. |
| 6.8 | E22-cjmi1 | CVE-2021-39226CVSSCVSSv3CWE-287URL | Exploits | This strike exploits an Authentication Bypass vulnerability in Grafana. The vulnerability is due to insufficient authorization on web endpoints - "/api/snapshots" and "/api/snapshots-delete". A remote, unauthenticated attacker can exploit the vulnerability by sending a request to one of the affected endpoints. Successful exploitation could result in disclosure of existing snapshots and deletion of application snapshots. *NOTE: While running this strike in OneArm mode, it sends a crafted request to the target server where the current snapshot can be viewed and the same can also be deleted. |
| Component | Info |
|---|---|
| Apps | HTTP/2 tags were added to superflows HBOMax Dec 20 and HBOMax Dec 20 Browse Movies. |