<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1374959979;
mso-list-template-ids:-279793618;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="en-PL" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="color:black"> </span><span style="color:black">Hi,<o:p></o:p></span></p>
<p style="margin-bottom:0cm;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span lang="EN-US" style="color:black">As currently we do not have access to bitbucket to rise issue/queries I would like to seek members to rise below query/issue as a ticket that we can discuss on FAPI Weekly Working Group and reach a common conclusion.</span><span style="color:black"><o:p></o:p></span></p>
<p style="margin-bottom:0cm;font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;caret-color: rgb(0, 0, 0);word-spacing:0px">
<span style="color:black">In current specification of</span><span class="apple-converted-space"><span style="color:black"> </span></span><span lang="EN-US" style="color:black">FAPI/OpenID (both 1 draft 06, 1 final, and 2.0)</span><span class="apple-converted-space"><span lang="EN-US" style="color:black"> </span></span><span style="color:black">during</span><span class="apple-converted-space"><span style="color:black"> </span></span><span lang="EN-US" style="color:black">Authentication/Authorization
Request, RP (Relaying Party) can</span><span class="apple-converted-space"><span style="color:black"> </span></span><span style="color:black">sent state</span><span class="apple-converted-space"><span lang="EN-US" style="color:black"> </span></span><span lang="EN-US" style="color:black">and
nonce query</span><span class="apple-converted-space"><span lang="EN-US" style="color:black"> </span></span><span style="color:black">parameter</span><span class="apple-converted-space"><span style="color:black"> </span></span><span lang="EN-US" style="color:black">as</span><span class="apple-converted-space"><span style="color:black"> </span></span><span style="color:black">opaque
string value –</span><span class="apple-converted-space"><span style="color:black"> </span></span><span lang="EN-US" style="color:black">both parameters do not have any validation rules</span><span style="color:black">. According to OWASP</span><span class="apple-converted-space"><span style="color:black"> </span></span><span lang="PL" style="color:black"><a href="https://owasp.org/www-community/attacks/xss/" title="https://owasp.org/www-community/attacks/xss/"><span lang="EN-US" style="color:#0563C1">https://owasp.org/www-community/attacks/xss/</span></a></span><span lang="PL" style="color:black">
</span><span lang="EN-US" style="color:black">t</span><span style="color:black">here are cases whe</span><span lang="EN-US" style="color:black">n</span><span class="apple-converted-space"><span style="color:black"> </span></span><span style="color:black">query
parameter can be used for XSS attack. </span><span lang="EN-US" style="color:black">In case of Browser journey when RP (Relaying Party) is using server side based rendered html pages without proper parameter sanitization it is possible to perform such an
attack. <o:p></o:p></span></p>
<p style="margin-bottom:0cm"><span lang="EN-US" style="color:black">I can walkthrough example code to demonstrate issue if further clarification will be required to understand Use Case.
</span><span style="color:black"><o:p></o:p></span></p>
<p style="margin-bottom:0cm;font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;caret-color: rgb(0, 0, 0);word-spacing:0px">
<span style="color:black">I would like to seek</span><span class="apple-converted-space"><span style="color:black"> </span></span><span lang="EN-US" style="color:black">your opinion:</span><span style="color:black"><o:p></o:p></span></p>
<ul style="margin-top:0cm;font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;caret-color: rgb(0, 0, 0);word-spacing:0px" type="disc">
<li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo1">Could<span class="apple-converted-space"> </span>OpenID Provider (OP)<span class="apple-converted-space"> </span>add protection layer for XSS which in the end will mean state<span lang="EN-US">,nonce</span><span class="apple-converted-space"> </span>parameter<span class="apple-converted-space"> </span><span lang="EN-US">could</span><span class="apple-converted-space"> </span>be
validated<span class="apple-converted-space"> </span><span lang="EN-US">against allowed<span class="apple-converted-space"> </span></span>Pattern<span class="apple-converted-space"> </span><span lang="EN-US">– example -<span class="apple-converted-space"> </span></span> ^[-\p{L}\p{N}./+=_
!$*?@%:,]{0,2000}$ or<span class="apple-converted-space"> </span>will this<span class="apple-converted-space"><span lang="EN-US"> </span></span><span lang="EN-US">break conformance to FAPI/OpenID<span class="apple-converted-space"> </span></span>specification
?<o:p></o:p></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo1">Should general OWASP protection rules become embedded inside<span class="apple-converted-space"> </span><span lang="EN-US">FAPI/OpenID</span><span class="apple-converted-space"> </span>specification
?<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><b><span style="font-family:"Arial",sans-serif;color:red;mso-ligatures:none;mso-fareast-language:EN-GB">Piotr DROZD</span></b><span style="color:black;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-ligatures:none;mso-fareast-language:EN-GB">Global Platform Lead – WSIT Open Banking</span><span style="mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-ligatures:none;mso-fareast-language:EN-GB">Wholesale IT l HSBC SERVICE DELIVERY(P</span><span lang="EN-US" style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-ligatures:none;mso-fareast-language:EN-GB">L</span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-ligatures:none;mso-fareast-language:EN-GB">)</span><span style="mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-ligatures:none;mso-fareast-language:EN-GB"> </span><span style="color:black;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="margin-left:4.35pt;border-collapse:collapse">
<tbody>
<tr>
<td width="375" style="width:281.25pt;padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-ligatures:none;mso-fareast-language:EN-GB">______________________________________________________________</span><span style="mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="99%" style="width:99.0%;margin-left:.25pt;border-collapse:collapse">
<tbody>
<tr>
<td width="17%" style="width:17.0%;padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:red;mso-ligatures:none;mso-fareast-language:EN-GB"> </span></b><span style="mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:red;mso-ligatures:none;mso-fareast-language:EN-GB">Telephone:</span></b><span style="mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
</td>
<td width="82%" style="width:82.0%;padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-ligatures:none;mso-fareast-language:EN-GB"> </span><span style="mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-ligatures:none;mso-fareast-language:EN-GB">N/A</span><span style="mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="17%" style="width:17.0%;padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:red;mso-ligatures:none;mso-fareast-language:EN-GB">Email:</span></b><span style="mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
</td>
<td width="82%" style="width:82.0%;padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><u><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:red;mso-ligatures:none;mso-fareast-language:EN-GB"><a href="mailto:piotr.m.drozd@hsbc.com" title="mailto:piotr.m.drozd@hsbc.com"><span style="color:#954F72">piotr.m.drozd@hsbc.com</span></a></span></u><span style="mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-ligatures:none;mso-fareast-language:EN-GB">______________________________________________________________</span><span style="mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<DIV>
-----------------------------------------<BR>
SAVE PAPER - THINK BEFORE YOU PRINT!<BR>
<BR>
This E-mail is confidential. <BR>
<BR>
It may also be legally privileged. If you are not the addressee you may not copy,<BR>
forward, disclose or use any part of it. If you have received this message in error,<BR>
please delete it and all copies from your system and notify the sender immediately by<BR>
return E-mail.<BR>
<BR>
Internet communications cannot be guaranteed to be timely secure, error or virus-free.<BR>
The sender does not accept liability for any errors or omissions.<BR>
</DIV></body>
</html>