Alex Gleason on Nostr: Can you explain the actual attack surface tho Webfinger can sometimes be in XML ...
Can you explain the actual attack surface tho
Webfinger can sometimes be in XML format instead of JSON, and the server will parse it. But I don't see how the results could be rendered to the attacker.
Published at
2023-08-05 14:52:29Event JSON
{
"id": "042899a784a60e1f24f2fbdd6b0eece7fd96a7c8bc39489b4104f17234a5b99a",
"pubkey": "79c2cae114ea28a981e7559b4fe7854a473521a8d22a66bbab9fa248eb820ff6",
"created_at": 1691247149,
"kind": 1,
"tags": [
[
"p",
"8757127d57629a9a1b7c04bd443049db086850d1d33bc1964e6485992cde22af",
"wss://relay.mostr.pub"
],
[
"p",
"79c4b3e2b1e7d8d74fa652cdc1dee37f9cd08fefdc13a79f8d1146c0b69fd1fb",
"wss://relay.mostr.pub"
],
[
"e",
"e14e18d5b0ff983a6cbaa03fef1b7eebe44d1d6331a7d6f4fb05fad5ed9d5f48",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://gleasonator.com/objects/3f74ffae-4e0c-4d86-8b7f-fe7c13d41bcb",
"activitypub"
]
],
"content": "Can you explain the actual attack surface tho\n\nWebfinger can sometimes be in XML format instead of JSON, and the server will parse it. But I don't see how the results could be rendered to the attacker.",
"sig": "7f06b884ae3cde99f7c66c99cf644dbb0be79aecc2150c2da6152994a791e17c585678af0237f9bc02a07e4dda7f9d7e201c22f488e3123d28b9aa3df14919bd"
}