[Security] [jdev] Spoofing of iq ids and misbehaving servers

Mark Doliner mark at kingant.net
Sat Feb 1 19:41:45 UTC 2014


On Sat, Feb 1, 2014 at 11:20 AM, Alexander Holler <holler at ahsoftware.de> wrote:
> Thijs Alkemade didn't wrote that an already broken server is necessary to
> explore or do something malicious with "delaying" replies or whatever.

An already broken server is NOT necessary. The IQ from malicious user
to target user might look like this:
<iq to="target at domain.lit/Resource" id="someid123" type="result">
    <query xmlns="jabber:iq:roster">
        <item jid="whatever at example.com" subscription="both" />
    </query>
</iq>


More information about the Security mailing list