bajax on Nostr: Nekobit Here's what I've got so far: 1 Pleroma accepts javascript documents as media ...
Nekobit (npub1q3k…q3wu) Here's what I've got so far:
1 Pleroma accepts javascript documents as media attachments to posts, this allows an attacker to upload code and bypass XSS protections (this technically isn't even an XSS attack, it's literally a script from the same domain)
2. ???How does that attachment run on clients??? (shouldn't pleroma be stripping out script tags from posts? Does Pleroma just RUN scripts attached as media or something?)
3. The payload gets the users auth token and cons pleroma into sending them to a mostr relay they control. They do this by encoding the auth token as the user ID, and then doing a user lookup-- since the host server doesn't have that info it does a remote request for it. The user on the mostr relay obviously doesn't have to exist, pleroma just blindly forwards the request.
1 Pleroma accepts javascript documents as media attachments to posts, this allows an attacker to upload code and bypass XSS protections (this technically isn't even an XSS attack, it's literally a script from the same domain)
2. ???How does that attachment run on clients??? (shouldn't pleroma be stripping out script tags from posts? Does Pleroma just RUN scripts attached as media or something?)
3. The payload gets the users auth token and cons pleroma into sending them to a mostr relay they control. They do this by encoding the auth token as the user ID, and then doing a user lookup-- since the host server doesn't have that info it does a remote request for it. The user on the mostr relay obviously doesn't have to exist, pleroma just blindly forwards the request.