ale/activitypub-security-poc
0
Fork 0
Código Incidencias Pull Requests Acciones Paquetes Proyectos Lanzamientos Wiki Actividad
Files
master
activitypub-security-poc/docs/SECURITY_TESTING.md
ale 9bf87efb79 initial commit 
Signed-off-by: ale <ale@manalejandro.com>
2025-11-16 17:20:37 +01:00

346 líneas
8.3 KiB
Markdown
Original Enlace permanente Blame Histórico

# Security Testing Guide
## Overview
This document outlines the security testing methodology and test cases for ActivityPub implementations.
## Security Test Categories
### 1. Cross-Site Scripting (XSS)
**Objective**: Identify if user-supplied content is properly sanitized before display.
**Test Cases**:
- Script tag injection: `<script>alert('XSS')</script>`
- Event handler injection: `<img src=x onerror=alert('XSS')>`
- JavaScript protocol: `javascript:alert('XSS')`
- SVG-based XSS: `<svg/onload=alert('XSS')>`
- Encoded payloads: `&#60;script&#62;alert('XSS')&#60;/script&#62;`
**Vulnerable Scenarios**:
- Content rendered without HTML escaping
- Markdown/rich text processing vulnerabilities
- URL handling in attachment previews
### 2. Server-Side Request Forgery (SSRF)
**Objective**: Test if the server can be tricked into making requests to internal resources.
**Test Cases**:
- Internal network: `http://localhost:8080`, `http://127.0.0.1`
- Cloud metadata: `http://169.254.169.254/latest/meta-data/`
- IPv6 localhost: `http://[::1]:8080`
- File protocol: `file:///etc/passwd`
- DNS rebinding attacks
**Vulnerable Scenarios**:
- Fetching remote avatars/images without validation
- Link previews/unfurling
- WebFinger lookups without URL validation
### 3. Object Injection & Type Confusion
**Objective**: Test object validation and type handling.
**Test Cases**:
- Multiple type values: `"type": ["Note", "Delete"]`
- Missing required fields
- Prototype pollution: `__proto__` injection
- Constructor manipulation
- Unexpected nested objects
**Vulnerable Scenarios**:
- Weak JSON schema validation
- Dynamic property assignment
- Type coercion vulnerabilities
### 4. Authentication & Authorization
**Objective**: Verify proper access controls and signature verification.
**Test Cases**:
- Missing HTTP signatures
- Invalid/forged signatures
- Actor impersonation
- Unauthorized deletions
- Private content access
- Relay poisoning
**Vulnerable Scenarios**:
- Weak signature verification
- Missing authorization checks
- Confused deputy attacks
### 5. Injection Attacks
**Objective**: Test for command and SQL injection vulnerabilities.
**Test Cases**:
- SQL injection: `' OR '1'='1`, `'; DROP TABLE--`
- Command injection: `; ls -la`, `| whoami`, `$(uname -a)`
- LDAP injection
- Template injection
- Path traversal: `../../etc/passwd`
**Vulnerable Scenarios**:
- Direct database queries with user input
- System command execution
- Template rendering with user content
### 6. Denial of Service (DoS)
**Objective**: Test resilience against resource exhaustion.
**Test Cases**:
- Large payloads (MB-sized JSON)
- Deeply nested objects
- Circular references
- Excessive followers/following counts
- Rapid activity submission
**Vulnerable Scenarios**:
- No rate limiting
- Unbounded resource allocation
- Inefficient parsing
## Testing Methodology
### 1. Reconnaissance
```bash
# Fetch actor profile
node src/cli.js fetch-actor --target https://target.example/users/alice
# Check outbox
node src/cli.js test-outbox --target https://target.example/users/alice/outbox
```
### 2. Baseline Testing
```bash
# Send valid activity
node src/cli.js test-inbox \
--target https://target.example/users/alice/inbox \
--payload examples/create-note.json
```
### 3. Automated Security Scan
```bash
# Run all tests
node src/cli.js security-scan \
--target https://target.example/users/alice/inbox \
--output scan-results.json
```
### 4. Manual Payload Testing
```bash
# Test specific vulnerability
node src/cli.js test-inbox \
--target https://target.example/users/alice/inbox \
--payload examples/xss-payload.json
```
### 5. Analysis
Review logs, responses, and behavior:
- HTTP status codes
- Error messages
- Server-side rendering
- Database queries
- Network traffic
## Responsible Disclosure
If you discover a vulnerability:
1. **Do not exploit** beyond proof-of-concept
2. **Document** the issue thoroughly
3. **Report privately** to the maintainers
4. **Allow time** for fixes (typically 90 days)
5. **Coordinate** public disclosure
## Common Vulnerabilities in ActivityPub
### 1. Inadequate Input Validation
```javascript
// Vulnerable
app.post('/inbox', (req, res) => {
const activity = req.body;
db.query(`INSERT INTO activities VALUES ('${activity.id}')`); // SQL injection
});
// Secure
app.post('/inbox', (req, res) => {
const activity = req.body;
if (!validateActivitySchema(activity)) {
return res.status(400).send('Invalid activity');
}
db.query('INSERT INTO activities VALUES (?)', [activity.id]);
});
```
### 2. Missing Signature Verification
```javascript
// Vulnerable
app.post('/inbox', (req, res) => {
// No signature check
processActivity(req.body);
});
// Secure
app.post('/inbox', async (req, res) => {
if (!await verifyHTTPSignature(req)) {
return res.status(401).send('Invalid signature');
}
processActivity(req.body);
});
```
### 3. SSRF in Media Fetching
```javascript
// Vulnerable
async function fetchAvatar(url) {
return await fetch(url); // No URL validation
}
// Secure
async function fetchAvatar(url) {
const parsed = new URL(url);
// Block internal IPs
if (isInternalIP(parsed.hostname)) {
throw new Error('Invalid URL');
}
// Only allow http/https
if (!['http:', 'https:'].includes(parsed.protocol)) {
throw new Error('Invalid protocol');
}
return await fetch(url, { redirect: 'manual' });
}
```
### 4. Unescaped Content Rendering
```javascript
// Vulnerable
function renderNote(note) {
return `<div>${note.content}</div>`; // XSS
}
// Secure
function renderNote(note) {
const escaped = escapeHtml(note.content);
return `<div>${escaped}</div>`;
}
```
## Security Checklist
- [ ] HTTP signatures verified on all inbox POST requests
- [ ] Actor URLs validated (no internal IPs, valid protocols)
- [ ] Content sanitized before display (HTML escaping)
- [ ] Rate limiting on endpoints
- [ ] JSON schema validation
- [ ] Authorization checks on Delete/Update activities
- [ ] SSRF protection on media fetching
- [ ] Proper error handling (no sensitive info in errors)
- [ ] CSRF protection
- [ ] Content Security Policy headers
- [ ] Input size limits
- [ ] Secure session management
## Tools & Resources
### Testing Tools
- This ActivityPub Security PoC
- Burp Suite
- OWASP ZAP
- curl/httpie
### References
- [ActivityPub Specification](https://www.w3.org/TR/activitypub/)
- [HTTP Signatures](https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures)
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Fediverse Security Best Practices](https://github.com/w3c/activitypub/issues/367)
## Reporting Format
When reporting issues, include:
1. **Title**: Brief description
2. **Severity**: Critical/High/Medium/Low
3. **Description**: What the vulnerability is
4. **Steps to Reproduce**: Detailed reproduction steps
5. **Impact**: What an attacker could do
6. **Proof of Concept**: Code/payload demonstrating the issue
7. **Remediation**: Suggested fix
8. **References**: Related CVEs, articles
### Example Report
```markdown
## XSS in Note Content
**Severity**: High
**Description**: User-supplied content in Note objects is rendered without HTML escaping, allowing arbitrary JavaScript execution.
**Steps to Reproduce**:
1. Send Create activity with XSS payload in content field
2. View the note in web interface
3. Observe JavaScript execution
**Impact**: Account takeover, data theft, malware distribution
**Proof of Concept**:
```json
{
"type": "Create",
"object": {
"type": "Note",
"content": "<script>alert(document.cookie)</script>"
}
}
```
**Remediation**: Implement HTML escaping for all user content before rendering.
```
## Legal Considerations
- Only test systems you own or have explicit permission to test
- Comply with computer fraud and abuse laws
- Respect bug bounty program terms
- Obtain written authorization for penetration testing
- Don't disrupt services or access private data
## Continuous Testing
Integrate security testing into CI/CD:
```yaml
# .github/workflows/security-test.yml
name: Security Tests
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run security scan
run: |
cd activitypub-security-poc
npm install
npm run mock-server &
sleep 5
node src/cli.js security-scan --target http://localhost:3000/users/alice/inbox
```
Referencia en una nueva incidencia Ver la culpa de Git Copiar Permalink