powered by Jive Software

Protection against forged IQ

I am trying to develop an openfire plugin that implements IQHandler to handle my custom IQ.

However, I want to be sure that an authenticated user can not send a forged IQ with a “from” attribute different from its own (to usurp someone’s identity).

So I am wondering if, by default, openfire would reject any IQ with a “from” attribute containing a JID different from the one of the user authenticated as the owner of the connection that sent this IQ?

If no, how can I check, into my plugin code, that the “from” attribute of an IQ actually match the one of the owner of the session that sent it? (NOTE: I do not accept anonymous connections to my server. So a user must be authenticated to be able to send IQ to the server).

So I am wondering if, by default, openfire would reject any IQ with a “from” attribute containing a JID different from the one of the user authenticated as the owner of the connection that sent this IQ?
Ideally openfire would just ignore the from attribute send by the client and replace it by the clients full JID as mandated by the spec. I didn’t have a look a code yet if it’s actually the case, but that is what should be done.

1 Like

Yes it’s done this way. See ClientStanzaHandler.java:

@Override

protected void processIQ(IQ packet) throws UnauthorizedException {

// Overwrite the FROM attribute to avoid spoofing
packet.setFrom(session.getAddress());
super.processIQ(packet);

}