see shy jo is a user on octodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Christopher Lemmer Webber @cwebber

@joeyh posted about two security vulnerabilities he uncovered joeyh.name/blog/entry/two_secu

Notably the ActivityPub appendix warns about these kinds of security vulnerabilities: don't fetch from uri schemes you don't know (be sure your http lib doesn't accept file://) and don't fetch from localhost (though sadly it's hard not to do this one... "localhost-only" is mostly doomed).

But Joey's post also points out that even if you filter out the scheme and localhost yourself, redirects may bite you

Christopher Lemmer Webber @cwebber

@joeyh If you're an ActivityPub implementor, you should *make sure your software is not vulnerable to these kinds of attacks*. The redirect one is especially tricky.

see shy jo @joeyh

@cwebber localhost only is not good enough, and the full IP blacklist is quite hard (especially considering IPV6, 4-in-6 etc).

Remember the guy who made his garage door respond to GET requests..

· Web · 1 · 4
Christopher Lemmer Webber @cwebber

@joeyh once again the ocap people are right that "perimeter security is eggshell security"

(This is also why CORS is a failed security model)

octodon.social powered by Mastodon