[jdev] [Security] Spoofing of iq ids and misbehaving servers

Alexander Holler holler at ahsoftware.de
Sun Feb 2 01:20:35 UTC 2014

Am 01.02.2014 20:41, schrieb Mark Doliner:
> On Sat, Feb 1, 2014 at 11:20 AM, Alexander Holler <holler at ahsoftware.de> wrote:
>> Thijs Alkemade didn't wrote that an already broken server is necessary to
>> explore or do something malicious with "delaying" replies or whatever.
> An already broken server is NOT necessary. The IQ from malicious user
> to target user might look like this:
> <iq to="target at domain.lit/Resource" id="someid123" type="result">
>     <query xmlns="jabber:iq:roster">
>         <item jid="whatever at example.com" subscription="both" />
>     </query>
> </iq>

This is would end up as a reply from the one who send that stanza. So
already a wrong sender. If a client doesn't check that, it's as broken
as a server which doesn't validate the 'from' attribute. What should be
that talk about a spoofed ID or random IDs if clients are already unable
to check the sender?

Anyway, have fun.

Alexander Holler

More information about the JDev mailing list