[Openid-specs-fapi] XSS - FAPI/OpenID - query

Joseph Heenan joseph at authlete.com
Fri Jun 16 15:30:46 UTC 2023 

Hi Piotr

Thanks for your email.

For info, the syntax for state is defined here:

https://www.rfc-editor.org/rfc/rfc6749#appendix-A.5

If I have understood correctly, the issue you are raising is that the RP may due to poor coding display values passed in the URL query to it’s redirect url without proper escaping?

I do not seen what the OP can usefully do here, at least in the case of FAPI (where the state/nonce values are passed to the OP cryptographically signed and hence are known to have come from the RP).

Thanks

Joseph



> On 16 Jun 2023, at 16:13, Piotr M DROZD via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
> 
>  Hi,
> As currently we do not have access to bitbucket to rise issue/queries I would like to seek members to rise below query/issue as a ticket that we can discuss on FAPI Weekly Working Group and reach a common conclusion.
> In current specification of FAPI/OpenID (both 1 draft 06, 1 final, and 2.0) during Authentication/Authorization Request,  RP (Relaying Party)  can sent state and nonce query parameter as opaque string value – both parameters do not have any validation rules. According to OWASP https://owasp.org/www-community/attacks/xss/ there are cases when query parameter can be used for XSS attack.  In case of Browser journey when RP (Relaying Party) is using server side based rendered html pages without proper parameter sanitization it is possible to perform such an attack. 
> I can walkthrough example code to demonstrate issue if further clarification will be required to understand Use Case.
> I would like to seek your opinion:
> Could OpenID Provider (OP) add protection layer for XSS which in the end will mean state,nonce parameter could be validated against allowed Pattern – example -  ^[-\p{L}\p{N}./+=_ !$*?@%:,]{0,2000}$ or will this break conformance to FAPI/OpenID specification ?
> Should general OWASP protection rules become embedded inside FAPI/OpenID specification ?
>  
>  
> Piotr DROZD
> Global Platform Lead – WSIT Open Banking
> Wholesale IT l HSBC SERVICE DELIVERY(PL)
>  
> ______________________________________________________________
>  
> Telephone:
>  
> N/A
> Email:
> piotr.m.drozd at hsbc.com <mailto:piotr.m.drozd at hsbc.com>
> ______________________________________________________________
>  
>  
> -----------------------------------------
> SAVE PAPER - THINK BEFORE YOU PRINT!
> 
> This E-mail is confidential. 
> 
> It may also be legally privileged. If you are not the addressee you may not copy,
> forward, disclose or use any part of it. If you have received this message in error,
> please delete it and all copies from your system and notify the sender immediately by
> return E-mail.
> 
> Internet communications cannot be guaranteed to be timely secure, error or virus-free.
> The sender does not accept liability for any errors or omissions.
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
> https://lists.openid.net/mailman/listinfo/openid-specs-fapi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20230616/f5f2f9e9/attachment-0001.html>

More information about the Openid-specs-fapi mailing list