ale/activitypub-security-poc
0
Fork 0
Código Incidencias Pull Requests Acciones Paquetes Proyectos Lanzamientos Wiki Actividad

initial commit

Explorar el Código 
Signed-off-by: ale <ale@manalejandro.com>
Este commit está contenido en:
ale
2025-11-16 17:20:37 +01:00
commit 9bf87efb79
Se han modificado 18 ficheros con 3435 adiciones y 0 borrados
Descargar archivo de parche Descargar archivo de diferencias Expandir todos los archivos Contraer todos los archivos

76
README.md Archivo normal
Ver fichero

@@ -0,0 +1,76 @@
# ActivityPub Security PoC
A comprehensive security testing toolkit for ActivityPub protocol implementations.
## Features
- 🔍 **Security Testing**: Test common vulnerabilities in ActivityPub implementations
- 🌐 **Remote Testing**: Probe outbox and inbox endpoints across instances
- 🎭 **Mock Server**: Simulated ActivityPub server for controlled testing
- 📝 **JSON-LD Support**: Full ActivityPub JSON-LD context handling
- 🔐 **HTTP Signatures**: Test signature verification and authentication
- 🛡️ **Injection Testing**: XSS, SSRF, and object injection tests
## Installation
```bash
npm install
```
## Usage
### CLI Commands
```bash
# Test an inbox endpoint
node src/cli.js test-inbox --target https://instance.example/users/alice/inbox --payload ./payloads/note.json
# Test an outbox endpoint
node src/cli.js test-outbox --target https://instance.example/users/alice/outbox
# Run security scans
node src/cli.js security-scan --target https://instance.example --tests xss,ssrf,injection
# Start mock server
node src/cli.js mock-server --port 3000
# Craft custom activity
node src/cli.js craft --type Create --object Note --content "Test message"
```
### Mock Server
```bash
npm run mock-server
```
The mock server provides:
- `/users/:username` - Actor endpoints
- `/users/:username/inbox` - Inbox endpoint
- `/users/:username/outbox` - Outbox endpoint
- `/.well-known/webfinger` - WebFinger endpoint
## Security Tests
### 1. XSS Testing
Tests for Cross-Site Scripting vulnerabilities in content fields.
### 2. SSRF Testing
Tests Server-Side Request Forgery via malicious URLs.
### 3. Object Injection
Tests for improper object type validation.
### 4. Signature Bypass
Tests HTTP signature verification weaknesses.
### 5. Authorization Issues
Tests for improper access control on private activities.
## Examples
See the `examples/` directory for sample payloads and test scenarios.
## Disclaimer
This tool is for authorized security testing only. Always obtain permission before testing third-party systems.