[Openid-specs-fapi] XSS - FAPI/OpenID - query
Piotr M DROZD
piotr.m.drozd at hsbc.com
Fri Jun 16 15:13:02 UTC 2023
Hi,
As currently we do not have access to bitbucket to rise issue/queries I would like to seek members to rise below query/issue as a ticket that we can discuss on FAPI Weekly Working Group and reach a common conclusion.
In current specification of FAPI/OpenID (both 1 draft 06, 1 final, and 2.0) during Authentication/Authorization Request, RP (Relaying Party) can sent state and nonce query parameter as opaque string value – both parameters do not have any validation rules. According to OWASP https://owasp.org/www-community/attacks/xss/ there are cases when query parameter can be used for XSS attack. In case of Browser journey when RP (Relaying Party) is using server side based rendered html pages without proper parameter sanitization it is possible to perform such an attack.
I can walkthrough example code to demonstrate issue if further clarification will be required to understand Use Case.
I would like to seek your opinion:
* Could OpenID Provider (OP) add protection layer for XSS which in the end will mean state,nonce parameter could be validated against allowed Pattern – example - ^[-\p{L}\p{N}./+=_ !$*?@%:,]{0,2000}$ or will this break conformance to FAPI/OpenID specification ?
* Should general OWASP protection rules become embedded inside FAPI/OpenID specification ?
Piotr DROZD
Global Platform Lead – WSIT Open Banking
Wholesale IT l HSBC SERVICE DELIVERY(PL)
______________________________________________________________
Telephone:
N/A
Email:
piotr.m.drozd at hsbc.com<mailto:piotr.m.drozd at hsbc.com>
______________________________________________________________
-----------------------------------------
SAVE PAPER - THINK BEFORE YOU PRINT!
This E-mail is confidential.
It may also be legally privileged. If you are not the addressee you may not copy,
forward, disclose or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the sender immediately by
return E-mail.
Internet communications cannot be guaranteed to be timely secure, error or virus-free.
The sender does not accept liability for any errors or omissions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20230616/a7cd28ee/attachment.html>
More information about the Openid-specs-fapi
mailing list