[jdev] [Security] Spoofing of iq ids and misbehaving servers
Mark Doliner
mark at kingant.net
Sat Feb 1 19:41:45 UTC 2014
On Sat, Feb 1, 2014 at 11:20 AM, Alexander Holler <holler at ahsoftware.de> wrote:
> Thijs Alkemade didn't wrote that an already broken server is necessary to
> explore or do something malicious with "delaying" replies or whatever.
An already broken server is NOT necessary. The IQ from malicious user
to target user might look like this:
<iq to="target at domain.lit/Resource" id="someid123" type="result">
<query xmlns="jabber:iq:roster">
<item jid="whatever at example.com" subscription="both" />
</query>
</iq>
More information about the JDev
mailing list