ale/activitypub-security-poc
0
Fork 0
Código Incidencias Pull Requests Acciones Paquetes Proyectos Lanzamientos Wiki Actividad
Files
9bf87efb7950a0cb571dc1585ff91ca1c58e2c28
activitypub-security-poc/PROJECT_SUMMARY.md
ale 9bf87efb79 initial commit 
Signed-off-by: ale <ale@manalejandro.com>
2025-11-16 17:20:37 +01:00

386 líneas
9.3 KiB
Markdown
Original Blame Histórico

# ActivityPub Security PoC - Project Summary
## ✅ Project Complete
A comprehensive security testing toolkit for ActivityPub protocol implementations has been successfully created.
## 📦 What Was Built
### Core Components
1. **ActivityPub Client** (`src/activitypub-client.js`)
- Full HTTP client for ActivityPub interactions
- Send activities to inbox endpoints
- Fetch from outbox endpoints
- Fetch actor profiles
- HTTP signature support (framework ready)
- JSON-LD context handling
- Activity creation helpers
2. **Security Testing Module** (`src/security-tester.js`)
- Automated vulnerability testing
- 6 test categories:
- Cross-Site Scripting (XSS)
- Server-Side Request Forgery (SSRF)
- Object injection & type confusion
- Signature bypass
- Authorization issues
- SQL/Command injection
- Comprehensive reporting
3. **CLI Tool** (`src/cli.js`)
- User-friendly command-line interface
- 7 main commands:
- `test-inbox` - Send activities to inbox
- `test-outbox` - Fetch from outbox
- `fetch-actor` - Get actor profiles
- `security-scan` - Run automated security tests
- `craft` - Create custom activities
- `mock-server` - Start mock server
- `interactive` - Interactive mode (planned)
4. **Mock Server** (`src/mock-server.js`)
- Fully functional ActivityPub server simulation
- Complete endpoint implementation:
- WebFinger (/.well-known/webfinger)
- Actor profiles (/users/:username)
- Inbox (/users/:username/inbox)
- Outbox (/users/:username/outbox)
- Followers/Following collections
- Shared inbox
- Real-time security detection
- Activity validation
- Detailed logging
### Documentation
1. **README.md** - Project overview and quick start
2. **QUICKSTART.md** - Command reference and common use cases
3. **examples/USAGE.md** - Comprehensive usage guide with examples
4. **docs/SECURITY_TESTING.md** - Security testing methodology
5. **docs/ARCHITECTURE.md** - Technical architecture documentation
### Example Payloads
- `examples/create-note.json` - Basic Create activity
- `examples/follow.json` - Follow activity
- `examples/xss-payload.json` - XSS test vectors
- `examples/ssrf-payload.json` - SSRF test vectors
### Testing
- `test.sh` - Automated test script demonstrating all features
## 🎯 Key Features
### Security Testing Capabilities
- **XSS Detection**: 7+ different XSS vectors including script tags, event handlers, JavaScript protocols
- **SSRF Detection**: Tests for internal network access, cloud metadata, file protocols
- **Injection Testing**: SQL injection, command injection, prototype pollution
- **Authorization Testing**: Actor impersonation, unauthorized actions
- **Comprehensive Reporting**: Colored console output, JSON export, detailed logs
### Mock Server Features
- **Real-time Detection**: Identifies security issues as they arrive
- **Multiple Users**: Pre-configured alice and bob accounts
- **Full Protocol Support**: Implements ActivityPub spec endpoints
- **Educational**: Shows both vulnerable and secure patterns
### Clean Code Practices
- Modular architecture with separation of concerns
- Comprehensive error handling
- Async/await throughout
- Well-commented code
- Consistent coding style
- Reusable components
## 🚀 How to Use
### Quick Start
```bash
# Install dependencies
cd activitypub-security-poc
npm install
# Start mock server (Terminal 1)
npm run mock-server
# Test it (Terminal 2)
node src/cli.js fetch-actor --target http://localhost:3000/users/alice
# Send a test activity
node src/cli.js test-inbox \
--target http://localhost:3000/users/alice/inbox \
--content "Hello from security PoC!"
# Run security scan
node src/cli.js security-scan \
--target http://localhost:3000/users/alice/inbox
```
### Run Automated Test Suite
```bash
./test.sh
```
## 📊 What You Can Test
### Against Mock Server (Safe)
- Test all security vectors
- Learn ActivityPub protocol
- Develop secure implementations
- Training and education
### Against Your Own Instance (Authorized)
- Validate security controls
- Test inbox processing
- Verify signature requirements
- Check content sanitization
### Against Third-Party Instances (With Permission Only)
- Security audits
- Penetration testing
- Vulnerability research
- Responsible disclosure
## 🛡️ Security Tests Included
### 1. Cross-Site Scripting (XSS)
Tests if user content is properly escaped:
- `<script>alert('XSS')</script>`
- `<img src=x onerror=alert('XSS')>`
- `javascript:alert('XSS')`
- SVG-based XSS
- Event handler injection
### 2. Server-Side Request Forgery (SSRF)
Tests URL validation in:
- Image URLs
- Object IDs
- Profile URLs
- Link previews
Targets:
- Internal IPs (localhost, 127.0.0.1)
- Cloud metadata (169.254.169.254)
- File protocols (file://)
### 3. Object Injection
Tests JSON validation:
- Multiple type values
- Missing required fields
- Prototype pollution (`__proto__`)
- Constructor manipulation
### 4. Signature Bypass
Tests authentication:
- Missing signatures
- Invalid signatures
- Forged signatures
### 5. Authorization
Tests access control:
- Actor impersonation
- Unauthorized deletions
- Cross-account access
### 6. Injection Attacks
Tests input sanitization:
- SQL injection patterns
- Command injection
- Template injection
## 📈 Example Output
### Security Scan Results
```
============================================================
SECURITY TEST REPORT
============================================================
Target: http://localhost:3000/users/alice/inbox
Timestamp: 2025-11-16T...
============================================================
XSS:
------------------------------------------------------------
❌ VULNERABLE - XSS: <script>alert("XSS")</script>
❌ VULNERABLE - XSS: <img src=x onerror=alert("XSS")>
✅ SAFE - XSS: javascript:alert("XSS")
SSRF:
------------------------------------------------------------
🚨 VULNERABLE - SSRF: http://localhost:8080
🚨 VULNERABLE - SSRF: http://169.254.169.254/latest/meta-data/
============================================================
SUMMARY: 4/15 potential vulnerabilities found
============================================================
```
### Mock Server Detection
```
📥 Received activity for alice:
{
"type": "Create",
"object": {
"type": "Note",
"content": "<script>alert('XSS')</script>"
}
}
🚨 Security issues detected:
- Potential XSS detected: <script>alert('XSS')</script>
```
## 🎓 Educational Value
This toolkit demonstrates:
- **ActivityPub Protocol**: Complete implementation of core endpoints
- **HTTP Signatures**: Framework for signing and verification
- **JSON-LD**: Proper context handling
- **Security Best Practices**: Input validation, sanitization, access control
- **Testing Methodology**: Systematic security testing approach
- **Clean Architecture**: Modular, maintainable code structure
## 🔧 Extensibility
Easy to extend:
### Add New Security Tests
```javascript
// In security-tester.js
async testNewVulnerability(inboxUrl) {
// Your test logic
}
```
### Add New CLI Commands
```javascript
// In cli.js
program
.command('new-command')
.action(async (options) => {
// Your command logic
});
```
### Add Mock Server Endpoints
```javascript
// In mock-server.js
async handleNewEndpoint(req, res, path) {
// Your endpoint logic
}
```
## 📚 Documentation Structure
- **README.md** - Start here
- **QUICKSTART.md** - Command reference
- **examples/USAGE.md** - Detailed examples
- **docs/SECURITY_TESTING.md** - Testing methodology
- **docs/ARCHITECTURE.md** - Technical details
## ⚠️ Important Disclaimers
### Legal
- For authorized testing only
- Obtain permission before testing third-party systems
- Comply with computer fraud and abuse laws
- Respect responsible disclosure guidelines
### Ethical
- Do not exploit vulnerabilities
- Do not disrupt services
- Do not access unauthorized data
- Report findings responsibly
## 🎯 Use Cases
### Development
- Test your ActivityPub implementation
- Validate security controls
- Learn the protocol
### Security Research
- Discover vulnerabilities
- Develop proof of concepts
- Conduct authorized penetration tests
### Education
- Teach ActivityPub security
- Demonstrate attack vectors
- Show defensive techniques
## 🚦 Project Status
**Complete and Functional**
All core features implemented:
- ✅ ActivityPub client
- ✅ Security testing module
- ✅ CLI interface
- ✅ Mock server
- ✅ Example payloads
- ✅ Comprehensive documentation
- ✅ Test script
## 🔮 Future Enhancements
Potential additions:
1. Full HTTP signature implementation with RSA keys
2. WebFinger testing
3. Media upload testing
4. Rate limiting tests
5. Interactive wizard mode
6. HTML report generation
7. CI/CD integration examples
8. More payload variations
## 📞 Next Steps
1. **Explore**: Run `./test.sh` to see it in action
2. **Learn**: Read the documentation
3. **Test**: Start the mock server and experiment
4. **Extend**: Add your own tests
5. **Contribute**: Enhance the toolkit
## 🎉 Summary
A professional-grade security testing toolkit for ActivityPub with:
- **Clean, modular code**
- **Comprehensive testing coverage**
- **Real mock server**
- **Detailed documentation**
- **Easy to use and extend**
- **Educational value**
- **Production-ready structure**
Perfect for security testers, developers, and researchers working with ActivityPub and the Fediverse!
Referencia en una nueva incidencia Ver la culpa de Git Copiar Permalink