Can you explain the actual attack surface tho
Webfinger can sometimes be in XML format instead of JSON, and the server will parse it. But I don't see how the results could be rendered to the attacker.
Alex Gleason /
npub108…uyev6
2023-08-05 14:52:29
in reply to nevent1q…zepp
Author Public Key
npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6Seen on
wss://relay.noswhere.comPublished at
2023-08-05 14:52:29Event JSON
{
"id": "042899a784a60e1f24f2fbdd6b0eece7fd96a7c8bc39489b4104f17234a5b99a",
"pubkey": "79c2cae114ea28a981e7559b4fe7854a473521a8d22a66bbab9fa248eb820ff6",
"created_at": 1691247149,
"kind": 1,
"tags": [
[
"p",
"8757127d57629a9a1b7c04bd443049db086850d1d33bc1964e6485992cde22af",
"wss://relay.mostr.pub"
],
[
"p",
"79c4b3e2b1e7d8d74fa652cdc1dee37f9cd08fefdc13a79f8d1146c0b69fd1fb",
"wss://relay.mostr.pub"
],
[
"e",
"e14e18d5b0ff983a6cbaa03fef1b7eebe44d1d6331a7d6f4fb05fad5ed9d5f48",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://gleasonator.com/objects/3f74ffae-4e0c-4d86-8b7f-fe7c13d41bcb",
"activitypub"
]
],
"content": "Can you explain the actual attack surface tho\n\nWebfinger can sometimes be in XML format instead of JSON, and the server will parse it. But I don't see how the results could be rendered to the attacker.",
"sig": "7f06b884ae3cde99f7c66c99cf644dbb0be79aecc2150c2da6152994a791e17c585678af0237f9bc02a07e4dda7f9d7e201c22f488e3123d28b9aa3df14919bd"
}