A small tool to view real-world ActivityPub objects as JSON! Enter a URL
or username from Mastodon or a similar service below, and we'll send a
request with
the right
Accept
header
to the server to view the underlying object.
{
"@context": [
"https://www.w3.org/ns/activitystreams",
{
"ostatus": "http://ostatus.org#",
"atomUri": "ostatus:atomUri",
"inReplyToAtomUri": "ostatus:inReplyToAtomUri",
"conversation": "ostatus:conversation",
"sensitive": "as:sensitive",
"toot": "http://joinmastodon.org/ns#",
"votersCount": "toot:votersCount",
"litepub": "http://litepub.social/ns#",
"directMessage": "litepub:directMessage",
"Hashtag": "as:Hashtag"
}
],
"id": "https://infosec.exchange/users/screaminggoat/statuses/112599138016204687",
"type": "Note",
"summary": null,
"inReplyTo": "https://infosec.exchange/users/screaminggoat/statuses/112599106666438577",
"published": "2024-06-11T17:21:35Z",
"url": "https://infosec.exchange/@screaminggoat/112599138016204687",
"attributedTo": "https://infosec.exchange/users/screaminggoat",
"to": [
"https://www.w3.org/ns/activitystreams#Public"
],
"cc": [
"https://infosec.exchange/users/screaminggoat/followers",
"https://shellsharks.social/users/shellsharks",
"https://infosec.exchange/users/dreadpir8robots"
],
"sensitive": false,
"atomUri": "https://infosec.exchange/users/screaminggoat/statuses/112599138016204687",
"inReplyToAtomUri": "https://infosec.exchange/users/screaminggoat/statuses/112599106666438577",
"conversation": "tag:infosec.exchange,2024-06-11:objectId=166832790:objectType=Conversation",
"content": "<p><a href=\"https://nvd.nist.gov/vuln/detail/CVE-2023-50868\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">CVE-2023-50868</a> (CVSSv3/4 score pending, disclosed 14 February 2024)</p><blockquote><p>The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.</p></blockquote><p>This vulnerability was actually discovered while testing mitigations for the KeyTrap vulnerability (CVE-2023-50867; cc: <span class=\"h-card\" translate=\"no\"><a href=\"https://shellsharks.social/@shellsharks\" class=\"u-url mention\" rel=\"nofollow noopener noreferrer\" target=\"_blank\">@<span>shellsharks</span></a></span>): <a href=\"https://www.isc.org/blogs/2024-bind-security-release/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">BIND 9 Security Release and Multi-Vendor Vulnerability Handling, CVE-2023-50387 and CVE-2023-50868</a> h/t: <span class=\"h-card\" translate=\"no\"><a href=\"https://infosec.exchange/@dreadpir8robots\" class=\"u-url mention\">@<span>dreadpir8robots</span></a></span> </p><blockquote><p>An attacker either selects or creates a DNSSEC-signed zone with NSEC3 parameters configured in excess of the Best Current Practice RFC9276, primarily by using extra iterations, and then launches a random subdomain attack against this zone. Because this Best Practice document is not yet universally followed, resolvers typically accept the extra iterations and spend CPU cycles on SHA1 hashing.</p><p>These extra SHA1 hash iterations serve as another potential denial-of-service attack vector. Again, the relevant standard, RFC 5155 section 8.3, does not warn about this risk, and multiple implementations did not protect against it. Ironically, we discovered this flaw while testing mitigations for KeyTrap!</p></blockquote><p><a href=\"https://infosec.exchange/tags/CVE_2023_50868\" class=\"mention hashtag\" rel=\"tag\">#<span>CVE_2023_50868</span></a> <a href=\"https://infosec.exchange/tags/KeyTrap\" class=\"mention hashtag\" rel=\"tag\">#<span>KeyTrap</span></a> <a href=\"https://infosec.exchange/tags/CVE\" class=\"mention hashtag\" rel=\"tag\">#<span>CVE</span></a> <a href=\"https://infosec.exchange/tags/vulnerability\" class=\"mention hashtag\" rel=\"tag\">#<span>vulnerability</span></a></p>",
"contentMap": {
"en": "<p><a href=\"https://nvd.nist.gov/vuln/detail/CVE-2023-50868\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">CVE-2023-50868</a> (CVSSv3/4 score pending, disclosed 14 February 2024)</p><blockquote><p>The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.</p></blockquote><p>This vulnerability was actually discovered while testing mitigations for the KeyTrap vulnerability (CVE-2023-50867; cc: <span class=\"h-card\" translate=\"no\"><a href=\"https://shellsharks.social/@shellsharks\" class=\"u-url mention\" rel=\"nofollow noopener noreferrer\" target=\"_blank\">@<span>shellsharks</span></a></span>): <a href=\"https://www.isc.org/blogs/2024-bind-security-release/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">BIND 9 Security Release and Multi-Vendor Vulnerability Handling, CVE-2023-50387 and CVE-2023-50868</a> h/t: <span class=\"h-card\" translate=\"no\"><a href=\"https://infosec.exchange/@dreadpir8robots\" class=\"u-url mention\">@<span>dreadpir8robots</span></a></span> </p><blockquote><p>An attacker either selects or creates a DNSSEC-signed zone with NSEC3 parameters configured in excess of the Best Current Practice RFC9276, primarily by using extra iterations, and then launches a random subdomain attack against this zone. Because this Best Practice document is not yet universally followed, resolvers typically accept the extra iterations and spend CPU cycles on SHA1 hashing.</p><p>These extra SHA1 hash iterations serve as another potential denial-of-service attack vector. Again, the relevant standard, RFC 5155 section 8.3, does not warn about this risk, and multiple implementations did not protect against it. Ironically, we discovered this flaw while testing mitigations for KeyTrap!</p></blockquote><p><a href=\"https://infosec.exchange/tags/CVE_2023_50868\" class=\"mention hashtag\" rel=\"tag\">#<span>CVE_2023_50868</span></a> <a href=\"https://infosec.exchange/tags/KeyTrap\" class=\"mention hashtag\" rel=\"tag\">#<span>KeyTrap</span></a> <a href=\"https://infosec.exchange/tags/CVE\" class=\"mention hashtag\" rel=\"tag\">#<span>CVE</span></a> <a href=\"https://infosec.exchange/tags/vulnerability\" class=\"mention hashtag\" rel=\"tag\">#<span>vulnerability</span></a></p>"
},
"updated": "2024-06-11T18:38:18Z",
"attachment": [],
"tag": [
{
"type": "Mention",
"href": "https://shellsharks.social/users/shellsharks",
"name": "@shellsharks@shellsharks.social"
},
{
"type": "Mention",
"href": "https://infosec.exchange/users/dreadpir8robots",
"name": "@dreadpir8robots"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/cve_2023_50868",
"name": "#cve_2023_50868"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/keytrap",
"name": "#keytrap"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/cve",
"name": "#cve"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/vulnerability",
"name": "#vulnerability"
}
],
"replies": {
"id": "https://infosec.exchange/users/screaminggoat/statuses/112599138016204687/replies",
"type": "Collection",
"first": {
"type": "CollectionPage",
"next": "https://infosec.exchange/users/screaminggoat/statuses/112599138016204687/replies?min_id=112599743290870641&page=true",
"partOf": "https://infosec.exchange/users/screaminggoat/statuses/112599138016204687/replies",
"items": [
"https://infosec.exchange/users/screaminggoat/statuses/112599743290870641"
]
}
},
"likes": {
"id": "https://infosec.exchange/users/screaminggoat/statuses/112599138016204687/likes",
"type": "Collection",
"totalItems": 5
},
"shares": {
"id": "https://infosec.exchange/users/screaminggoat/statuses/112599138016204687/shares",
"type": "Collection",
"totalItems": 0
}
}