# ActivityPub Security PoC

A comprehensive security testing toolkit for ActivityPub protocol implementations.

## Features

- 🔍 **Security Testing**: Test common vulnerabilities in ActivityPub implementations
- 🌐 **Remote Testing**: Probe outbox and inbox endpoints across instances
- 🎭 **Mock Server**: Simulated ActivityPub server for controlled testing
- 📝 **JSON-LD Support**: Full ActivityPub JSON-LD context handling
- 🔐 **HTTP Signatures**: Test signature verification and authentication
- 🛡️ **Injection Testing**: XSS, SSRF, and object injection tests

## Installation

```bash
npm install
```

## Usage

### CLI Commands

```bash
# Test an inbox endpoint
node src/cli.js test-inbox --target https://instance.example/users/alice/inbox --payload ./payloads/note.json

# Test an outbox endpoint
node src/cli.js test-outbox --target https://instance.example/users/alice/outbox

# Run security scans
node src/cli.js security-scan --target https://instance.example --tests xss,ssrf,injection

# Start mock server
node src/cli.js mock-server --port 3000

# Craft custom activity
node src/cli.js craft --type Create --object Note --content "Test message"
```

### Mock Server

```bash
npm run mock-server
```

The mock server provides:
- `/users/:username` - Actor endpoints
- `/users/:username/inbox` - Inbox endpoint
- `/users/:username/outbox` - Outbox endpoint
- `/.well-known/webfinger` - WebFinger endpoint

## Security Tests

### 1. XSS Testing
Tests for Cross-Site Scripting vulnerabilities in content fields.

### 2. SSRF Testing
Tests Server-Side Request Forgery via malicious URLs.

### 3. Object Injection
Tests for improper object type validation.

### 4. Signature Bypass
Tests HTTP signature verification weaknesses.

### 5. Authorization Issues
Tests for improper access control on private activities.

## Examples

See the `examples/` directory for sample payloads and test scenarios.

## Disclaimer

This tool is for authorized security testing only. Always obtain permission before testing third-party systems.