[Openid-specs-fapi] EXTERNAL: Re: Re: XSS - FAPI/OpenID - query

Piotr M DROZD piotr.m.drozd at hsbc.com
Fri Jun 16 15:43:14 UTC 2023 

I apologize for miss sent email.

My worry is current pattern VSCHAR     = %x20-7E allow to use as state parameter value of format:

?state=><script>if (window.confirm('If you click "ok" you would be redirected . Cancel will load this website ')) {window.location.href='https://www.google.com/';};</script>

In case of poor coding at RP when there is middle page to resubmit state and code parameter to server it is possible to execute state value as actual script (old way of submitting data thru hidden input field inside html form)


BR,

Piotr DROZD
Global Platform Lead – WSIT Open Banking
Wholesale IT l HSBC SERVICE DELIVERY(PL)

______________________________________________________________

Telephone:
Internal:


N/A
604857122580

Email:

piotr.m.drozd at hsbc.com<mailto:piotr.m.drozd at hsbc.com>

______________________________________________________________





From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Piotr M DROZD via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Reply to: FAPI Working Group List <openid-specs-fapi at lists.openid.net>
Date: Friday, 16 June 2023 at 17:39
To: Joseph Heenan <joseph at authlete.com>, Financial API Working Group List <openid-specs-fapi at lists.openid.net>
Cc: Piotr M DROZD <piotr.m.drozd at hsbc.com>
Subject: EXTERNAL: Re: [Openid-specs-fapi] Re: XSS - FAPI/OpenID - query

My worry in case of current pattern From: Joseph Heenan <joseph@ authlete. com> Date: Friday, 16 June 2023 at 17: 31 To: Financial API Working Group List <openid-specs-fapi@ lists. openid. net> Cc: Piotr M DROZD <piotr. m. drozd@ hsbc. com>
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

This message came from outside your organisation. The content & any attachments need to be treated with care and attention.



ZjQcmQRYFpfptBannerEnd
My worry in case of current pattern


From: Joseph Heenan <joseph at authlete.com>
Date: Friday, 16 June 2023 at 17:31
To: Financial API Working Group List <openid-specs-fapi at lists.openid.net>
Cc: Piotr M DROZD <piotr.m.drozd at hsbc.com>
Subject: EXTERNAL: Re: [Openid-specs-fapi] XSS - FAPI/OpenID - query

Hi Piotr Thanks for your email. For info, the syntax for state is defined here: https: //www. rfc-editor. org/rfc/rfc6749#appendix-A. 5 If I have understood correctly, the issue you are raising is that the RP may due to poor coding display values
ZjQcmQRYFpfptBannerStart
This Message Is From an Untrusted Sender

You have not previously corresponded with this sender.



ZjQcmQRYFpfptBannerEnd
Hi Piotr

Thanks for your email.

For info, the syntax for state is defined here:

https://www.rfc-editor.org/rfc/rfc6749#appendix-A.5<https://urldefense.com/v3/__https:/www.rfc-editor.org/rfc/rfc6749*appendix-A.5__;Iw!!LSAcJDlP!2EmCh3VXFjRePTUDoI0aA3Q1C1eMPSfPsVIru2Pyt1XhBwdkRu7YlA7k_RSovTBHK562C7e0328QCwPfD8c$>

If I have understood correctly, the issue you are raising is that the RP may due to poor coding display values passed in the URL query to it’s redirect url without proper escaping?

I do not seen what the OP can usefully do here, at least in the case of FAPI (where the state/nonce values are passed to the OP cryptographically signed and hence are known to have come from the RP).

Thanks

Joseph





On 16 Jun 2023, at 16:13, Piotr M DROZD via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:

 Hi,

As currently we do not have access to bitbucket to rise issue/queries I would like to seek members to rise below query/issue as a ticket that we can discuss on FAPI Weekly Working Group and reach a common conclusion.

In current specification of FAPI/OpenID (both 1 draft 06, 1 final, and 2.0) during Authentication/Authorization Request,  RP (Relaying Party)  can sent state and nonce query parameter as opaque string value – both parameters do not have any validation rules. According to OWASP https://owasp.org/www-community/attacks/xss/<https://urldefense.com/v3/__https:/owasp.org/www-community/attacks/xss/__;!!LSAcJDlP!2EmCh3VXFjRePTUDoI0aA3Q1C1eMPSfPsVIru2Pyt1XhBwdkRu7YlA7k_RSovTBHK562C7e0328Qb6xvBp8$> there are cases when query parameter can be used for XSS attack.  In case of Browser journey when RP (Relaying Party) is using server side based rendered html pages without proper parameter sanitization it is possible to perform such an attack.

I can walkthrough example code to demonstrate issue if further clarification will be required to understand Use Case.

I would like to seek your opinion:

  *   Could OpenID Provider (OP) add protection layer for XSS which in the end will mean state,nonce parameter could be validated against allowed Pattern – example -  ^[-\p{L}\p{N}./+=_ !$*?@%:,]{0,2000}$ or will this break conformance to FAPI/OpenID specification ?
  *   Should general OWASP protection rules become embedded inside FAPI/OpenID specification ?


Piotr DROZD
Global Platform Lead – WSIT Open Banking
Wholesale IT l HSBC SERVICE DELIVERY(PL)

______________________________________________________________

Telephone:


N/A

Email:

piotr.m.drozd at hsbc.com<mailto:piotr.m.drozd at hsbc.com>

______________________________________________________________



-----------------------------------------
SAVE PAPER - THINK BEFORE YOU PRINT!

This E-mail is confidential.

It may also be legally privileged. If you are not the addressee you may not copy,
forward, disclose or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the sender immediately by
return E-mail.

Internet communications cannot be guaranteed to be timely secure, error or virus-free.
The sender does not accept liability for any errors or omissions.
_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-fapi<https://urldefense.com/v3/__https:/lists.openid.net/mailman/listinfo/openid-specs-fapi__;!!LSAcJDlP!2EmCh3VXFjRePTUDoI0aA3Q1C1eMPSfPsVIru2Pyt1XhBwdkRu7YlA7k_RSovTBHK562C7e0328QQ5XgPtQ$>

-----------------------------------------
SAVE PAPER - THINK BEFORE YOU PRINT!

This E-mail is confidential.

It may also be legally privileged. If you are not the addressee you may not copy,
forward, disclose or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the sender immediately by
return E-mail.

Internet communications cannot be guaranteed to be timely secure, error or virus-free.
The sender does not accept liability for any errors or omissions.

-----------------------------------------
SAVE PAPER - THINK BEFORE YOU PRINT!

This E-mail is confidential. 

It may also be legally privileged. If you are not the addressee you may not copy,
forward, disclose or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the sender immediately by
return E-mail.

Internet communications cannot be guaranteed to be timely secure, error or virus-free.
The sender does not accept liability for any errors or omissions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20230616/c24fb9ee/attachment-0001.html>

More information about the Openid-specs-fapi mailing list