Files

Signed-off-by: ale <ale@manalejandro.com>

2025-11-16 17:20:37 +01:00

2.0 KiB

Original Blame Histórico

ActivityPub Security PoC

A comprehensive security testing toolkit for ActivityPub protocol implementations.

Features

🔍 Security Testing: Test common vulnerabilities in ActivityPub implementations
🌐 Remote Testing: Probe outbox and inbox endpoints across instances
🎭 Mock Server: Simulated ActivityPub server for controlled testing
📝 JSON-LD Support: Full ActivityPub JSON-LD context handling
🔐 HTTP Signatures: Test signature verification and authentication
🛡️ Injection Testing: XSS, SSRF, and object injection tests

Installation

npm install

Usage

CLI Commands

# Test an inbox endpoint
node src/cli.js test-inbox --target https://instance.example/users/alice/inbox --payload ./payloads/note.json

# Test an outbox endpoint
node src/cli.js test-outbox --target https://instance.example/users/alice/outbox

# Run security scans
node src/cli.js security-scan --target https://instance.example --tests xss,ssrf,injection

# Start mock server
node src/cli.js mock-server --port 3000

# Craft custom activity
node src/cli.js craft --type Create --object Note --content "Test message"

Mock Server

npm run mock-server

The mock server provides:

/users/:username - Actor endpoints
/users/:username/inbox - Inbox endpoint
/users/:username/outbox - Outbox endpoint
/.well-known/webfinger - WebFinger endpoint

Security Tests

1. XSS Testing

Tests for Cross-Site Scripting vulnerabilities in content fields.

2. SSRF Testing

Tests Server-Side Request Forgery via malicious URLs.

3. Object Injection

Tests for improper object type validation.

4. Signature Bypass

Tests HTTP signature verification weaknesses.

5. Authorization Issues

Tests for improper access control on private activities.

Examples

See the examples/ directory for sample payloads and test scenarios.

Disclaimer

This tool is for authorized security testing only. Always obtain permission before testing third-party systems.

2.0 KiB Original Blame Histórico