[Openid-specs-fapi] EXTERNAL: Re: Re: XSS - FAPI/OpenID - query

Fri Jun 16 15:55:32 UTC 2023

Right. But an attacker simply can’t inject that state value into the authorization endpoint call (because in FAPI1-Adv that call uses a signed object that the OP can detect tampering with), so what can the OP usefully do - it can only prevent the RP from attacking the RP?

Joseph

> On 16 Jun 2023, at 16:43, Piotr M DROZD <piotr.m.drozd at hsbc.com> wrote:
> 
> I apologize for miss sent email.
>  
> My worry is current pattern VSCHAR     = %x20-7E allow to use as state parameter value of format:
>  
> ?state=><script>if (window.confirm('If you click "ok" you would be redirected . Cancel will load this website ')) {window.location.href='https://www.google.com/';};</script>
>  
> In case of poor coding at RP when there is middle page to resubmit state and code parameter to server it is possible to execute state value as actual script (old way of submitting data thru hidden input field inside html form)
>  
>  
> BR,
>  
> Piotr DROZD
> Global Platform Lead – WSIT Open Banking
> Wholesale IT l HSBC SERVICE DELIVERY(PL)
>  
> ______________________________________________________________
>  
> Telephone:
> Internal:
>  
> N/A
> 604857122580
> Email:
> piotr.m.drozd at hsbc.com <mailto:piotr.m.drozd at hsbc.com>
> ______________________________________________________________
>  
>  
>  
>  
> From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net <mailto:openid-specs-fapi-bounces at lists.openid.net>> on behalf of Piotr M DROZD via Openid-specs-fapi <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>>
> Reply to: FAPI Working Group List <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>>
> Date: Friday, 16 June 2023 at 17:39
> To: Joseph Heenan <joseph at authlete.com <mailto:joseph at authlete.com>>, Financial API Working Group List <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>>
> Cc: Piotr M DROZD <piotr.m.drozd at hsbc.com <mailto:piotr.m.drozd at hsbc.com>>
> Subject: EXTERNAL: Re: [Openid-specs-fapi] Re: XSS - FAPI/OpenID - query
>  
> My worry in case of current pattern From: Joseph Heenan <joseph@ authlete. com> Date: Friday, 16 June 2023 at 17: 31 To: Financial API Working Group List <openid-specs-fapi@ lists. openid. net> Cc: Piotr M DROZD <piotr. m. drozd@ hsbc. com> 
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organisation. The content & any attachments need to be treated with care and attention.
> ZjQcmQRYFpfptBannerEnd
> My worry in case of current pattern
>  
>  
> From: Joseph Heenan <joseph at authlete.com>
> Date: Friday, 16 June 2023 at 17:31
> To: Financial API Working Group List <openid-specs-fapi at lists.openid.net>
> Cc: Piotr M DROZD <piotr.m.drozd at hsbc.com>
> Subject: EXTERNAL: Re: [Openid-specs-fapi] XSS - FAPI/OpenID - query
>  
> Hi Piotr Thanks for your email. For info, the syntax for state is defined here: https: //www. rfc-editor. org/rfc/rfc6749#appendix-A. 5 If I have understood correctly, the issue you are raising is that the RP may due to poor coding display values 
> ZjQcmQRYFpfptBannerStart
> This Message Is From an Untrusted Sender
> You have not previously corresponded with this sender.
> ZjQcmQRYFpfptBannerEnd
> Hi Piotr 
>  
> Thanks for your email.
>  
> For info, the syntax for state is defined here:
>  
> https://www.rfc-editor.org/rfc/rfc6749#appendix-A.5 <https://urldefense.com/v3/__https:/www.rfc-editor.org/rfc/rfc6749*appendix-A.5__;Iw!!LSAcJDlP!2EmCh3VXFjRePTUDoI0aA3Q1C1eMPSfPsVIru2Pyt1XhBwdkRu7YlA7k_RSovTBHK562C7e0328QCwPfD8c$>
>  
> If I have understood correctly, the issue you are raising is that the RP may due to poor coding display values passed in the URL query to it’s redirect url without proper escaping?
>  
> I do not seen what the OP can usefully do here, at least in the case of FAPI (where the state/nonce values are passed to the OP cryptographically signed and hence are known to have come from the RP).
>  
> Thanks
>  
> Joseph
>  
>  
> 
> 
> 
> On 16 Jun 2023, at 16:13, Piotr M DROZD via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
>  
>  Hi,
> As currently we do not have access to bitbucket to rise issue/queries I would like to seek members to rise below query/issue as a ticket that we can discuss on FAPI Weekly Working Group and reach a common conclusion.
> In current specification of FAPI/OpenID (both 1 draft 06, 1 final, and 2.0) during Authentication/Authorization Request,  RP (Relaying Party)  can sent state and nonce query parameter as opaque string value – both parameters do not have any validation rules. According to OWASP https://owasp.org/www-community/attacks/xss/ <https://urldefense.com/v3/__https:/owasp.org/www-community/attacks/xss/__;!!LSAcJDlP!2EmCh3VXFjRePTUDoI0aA3Q1C1eMPSfPsVIru2Pyt1XhBwdkRu7YlA7k_RSovTBHK562C7e0328Qb6xvBp8$> there are cases when query parameter can be used for XSS attack.  In case of Browser journey when RP (Relaying Party) is using server side based rendered html pages without proper parameter sanitization it is possible to perform such an attack. 
> I can walkthrough example code to demonstrate issue if further clarification will be required to understand Use Case.
> I would like to seek your opinion:
> Could OpenID Provider (OP) add protection layer for XSS which in the end will mean state,nonce parameter could be validated against allowed Pattern – example -  ^[-\p{L}\p{N}./+=_ !$*?@%:,]{0,2000}$ or will this break conformance to FAPI/OpenID specification ?
> Should general OWASP protection rules become embedded inside FAPI/OpenID specification ?
>  
>  
> Piotr DROZD
> Global Platform Lead – WSIT Open Banking
> Wholesale IT l HSBC SERVICE DELIVERY(PL)
>  
> ______________________________________________________________
>  
> Telephone:
>  
> N/A
> Email:
> piotr.m.drozd at hsbc.com <mailto:piotr.m.drozd at hsbc.com>
> ______________________________________________________________
>  
>  
> -----------------------------------------
> SAVE PAPER - THINK BEFORE YOU PRINT!
> 
> This E-mail is confidential. 
> 
> It may also be legally privileged. If you are not the addressee you may not copy,
> forward, disclose or use any part of it. If you have received this message in error,
> please delete it and all copies from your system and notify the sender immediately by
> return E-mail.
> 
> Internet communications cannot be guaranteed to be timely secure, error or virus-free.
> The sender does not accept liability for any errors or omissions.
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
> https://lists.openid.net/mailman/listinfo/openid-specs-fapi <https://urldefense.com/v3/__https:/lists.openid.net/mailman/listinfo/openid-specs-fapi__;!!LSAcJDlP!2EmCh3VXFjRePTUDoI0aA3Q1C1eMPSfPsVIru2Pyt1XhBwdkRu7YlA7k_RSovTBHK562C7e0328QQ5XgPtQ$>
>  
> -----------------------------------------
> SAVE PAPER - THINK BEFORE YOU PRINT!
> 
> This E-mail is confidential. 
> 
> It may also be legally privileged. If you are not the addressee you may not copy,
> forward, disclose or use any part of it. If you have received this message in error,
> please delete it and all copies from your system and notify the sender immediately by
> return E-mail.
> 
> Internet communications cannot be guaranteed to be timely secure, error or virus-free.
> The sender does not accept liability for any errors or omissions.
> -----------------------------------------
> SAVE PAPER - THINK BEFORE YOU PRINT!
> 
> This E-mail is confidential. 
> 
> It may also be legally privileged. If you are not the addressee you may not copy,
> forward, disclose or use any part of it. If you have received this message in error,
> please delete it and all copies from your system and notify the sender immediately by
> return E-mail.
> 
> Internet communications cannot be guaranteed to be timely secure, error or virus-free.
> The sender does not accept liability for any errors or omissions.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20230616/a8101378/attachment-0001.html>