<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1372681863;
mso-list-template-ids:-468265796;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1446730554;
mso-list-template-ids:349760818;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="en-PL" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Adding to protection who I would like to protect. This is not RP protection. I’m looking at End-User (customer data and customer authorization protection). So in a case RP is compromised
what is the limit and extend we as OP can protect End-User not to start authorize/authenticate process.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">BR,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Piotr Drozd<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Openid-specs-fapi <openid-specs-fapi-bounces@lists.openid.net> on behalf of Piotr M DROZD via Openid-specs-fapi <openid-specs-fapi@lists.openid.net><br>
<b>Reply to: </b>FAPI Working Group List <openid-specs-fapi@lists.openid.net><br>
<b>Date: </b>Friday, 16 June 2023 at 18:07<br>
<b>To: </b>Joseph Heenan <joseph@authlete.com><br>
<b>Cc: </b>Piotr M DROZD <piotr.m.drozd@hsbc.com>, Financial API Working Group List <openid-specs-fapi@lists.openid.net><br>
<b>Subject: </b>EXTERNAL: Re: [Openid-specs-fapi] Re: Re: Re: XSS - FAPI/OpenID - query<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-line-height-alt:.75pt"><span style="font-size:1.0pt;color:white">Agree. We cannot protect all vectors at OP when RP is compromised. I also agree because of request object signature tampering in the middle cannot happen. But would
not additional validation to explicitly disallow a pattern that clearly indicate
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-line-height-alt:.75pt"><span style="font-size:1.0pt;color:white">ZjQcmQRYFpfptBannerStart<o:p></o:p></span></p>
</div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-radius:4px">
<tbody>
<tr>
<td style="padding:12.0pt 0cm 12.0pt 0cm">
<table class="MsoNormalTable" border="1" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;background:#FCECA6;border:none;border-top:solid #E4CA00 3.0pt">
<tbody>
<tr>
<td valign="top" style="border:none;padding:0cm 7.5pt 3.75pt 4.5pt">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" align="left">
<tbody>
<tr>
<td style="padding:3.0pt 6.0pt 3.0pt 6.0pt">
<p class="MsoNormal"><b><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black">This Message Is From an External Sender
<o:p></o:p></span></b></p>
</td>
</tr>
<tr>
<td style="padding:3.0pt 6.0pt 3.0pt 6.0pt">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black">This message came from outside your organisation. The content & any attachments need to be treated with care and attention.
<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<div>
<p class="MsoNormal" style="mso-line-height-alt:.75pt"><span style="font-size:1.0pt;color:white">ZjQcmQRYFpfptBannerEnd<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Agree. We cannot protect all vectors at OP when RP is compromised. I also agree because of request object signature tampering in the middle cannot happen. But would not additional validation
to explicitly disallow a pattern that clearly indicate usage of script injection not additionally protect when only partial of RP is compromised ?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">BR,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Piotr Drozd</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Joseph Heenan <joseph@authlete.com><br>
<b>Date: </b>Friday, 16 June 2023 at 17:55<br>
<b>To: </b>Piotr M DROZD <piotr.m.drozd@hsbc.com><br>
<b>Cc: </b>Financial API Working Group List <openid-specs-fapi@lists.openid.net><br>
<b>Subject: </b>EXTERNAL: Re: Re: [Openid-specs-fapi] Re: XSS - FAPI/OpenID - query</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-line-height-alt:.75pt"><span style="font-size:1.0pt;color:white">Right. But an attacker simply can’t inject that state value into the authorization endpoint call (because in FAPI1-Adv that call uses a signed object that the OP
can detect tampering with), so what can the OP usefully do - it can only prevent
</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-line-height-alt:.75pt"><span style="font-size:1.0pt;color:white">ZjQcmQRYFpfptBannerStart</span><o:p></o:p></p>
</div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-radius:4px">
<tbody>
<tr>
<td style="padding:12.0pt 0cm 12.0pt 0cm">
<table class="MsoNormalTable" border="1" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;background:#FCECA6;border:none;border-top:solid #E4CA00 3.0pt">
<tbody>
<tr>
<td valign="top" style="border:none;padding:0cm 7.5pt 3.75pt 4.5pt">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" align="left">
<tbody>
<tr>
<td style="padding:3.0pt 6.0pt 3.0pt 6.0pt">
<p class="MsoNormal"><b><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black">This Message Is From an Untrusted Sender
</span></b><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:3.0pt 6.0pt 3.0pt 6.0pt">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black">You have not previously corresponded with this sender.
</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<div>
<p class="MsoNormal" style="mso-line-height-alt:.75pt"><span style="font-size:1.0pt;color:white">ZjQcmQRYFpfptBannerEnd</span><o:p></o:p></p>
</div>
<p class="MsoNormal">Right. But an attacker simply can’t inject that state value into the authorization endpoint call (because in FAPI1-Adv that call uses a signed object that the OP can detect tampering with), so what can the OP usefully do - it can only prevent
the RP from attacking the RP? <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Joseph<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 16 Jun 2023, at 16:43, Piotr M DROZD <piotr.m.drozd@hsbc.com> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">I apologize for miss sent email.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">My worry is current pattern VSCHAR = %x20-7E allow to use as state parameter value of format:</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">?state=><script>if (window.confirm('If you click "ok" you would be redirected . Cancel will load this website ')) {window.location.href='<a href="https://urldefense.com/v3/__https:/www.google.com/__;!!LSAcJDlP!1-Ftpfnl_wGliGT7BImqAELLQm8A_2q-vq1Bov2Bu7fwX0gLfnUN2Ym-nhcLGJGvtZrxpBt7xHpIkFlj79Q$">https://www.google.com/</a>';};</script><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">In case of poor coding at RP when there is middle page to resubmit state and code parameter to server it is possible to execute state value as actual script (old way of submitting data thru hidden input field inside html
form)</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">BR,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-family:"Arial",sans-serif;color:red">Piotr DROZD</span></b><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">Global Platform Lead – WSIT Open Banking</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">Wholesale IT l HSBC SERVICE DELIVERY(P</span><span lang="EN-US" style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">L</span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">)</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
</div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="margin-left:4.35pt;border-collapse:collapse">
<tbody>
<tr>
<td width="375" style="width:281.25pt;padding:.75pt .75pt .75pt .75pt">
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">______________________________________________________________</span><o:p></o:p></p>
</div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="99%" style="width:99.0%;margin-left:.25pt;border-collapse:collapse">
<tbody>
<tr>
<td width="17%" style="width:17.0%;padding:0cm 0cm 0cm 0cm">
<div>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:red"> </span></b><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:red">Telephone:</span></b><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:red">Internal:</span></b><o:p></o:p></p>
</div>
</td>
<td width="82%" style="width:82.0%;padding:0cm 0cm 0cm 0cm">
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">N/A</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">604857122580</span><o:p></o:p></p>
</div>
</td>
</tr>
<tr>
<td width="17%" style="width:17.0%;padding:0cm 0cm 0cm 0cm">
<div>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:red">Email:</span></b><o:p></o:p></p>
</div>
</td>
<td width="82%" style="width:82.0%;padding:0cm 0cm 0cm 0cm">
<div>
<p class="MsoNormal"><u><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:red"><a href="mailto:piotr.m.drozd@hsbc.com" title="mailto:piotr.m.drozd@hsbc.com"><span style="color:#954F72">piotr.m.drozd@hsbc.com</span></a></span></u><o:p></o:p></p>
</div>
</td>
</tr>
</tbody>
</table>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">______________________________________________________________</span><o:p></o:p></p>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm 0cm;border-color:currentcolor currentcolor;border-image: none">
<div>
<p class="MsoNormal"><b><span style="font-size:12.0pt">From:<span class="apple-converted-space"> </span></span></b><span style="font-size:12.0pt">Openid-specs-fapi <<a href="mailto:openid-specs-fapi-bounces@lists.openid.net">openid-specs-fapi-bounces@lists.openid.net</a>>
on behalf of Piotr M DROZD via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>><br>
<b>Reply to:<span class="apple-converted-space"> </span></b>FAPI Working Group List <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>><br>
<b>Date:<span class="apple-converted-space"> </span></b>Friday, 16 June 2023 at 17:39<br>
<b>To:<span class="apple-converted-space"> </span></b>Joseph Heenan <<a href="mailto:joseph@authlete.com">joseph@authlete.com</a>>, Financial API Working Group List <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>><br>
<b>Cc:<span class="apple-converted-space"> </span></b>Piotr M DROZD <<a href="mailto:piotr.m.drozd@hsbc.com">piotr.m.drozd@hsbc.com</a>><br>
<b>Subject:<span class="apple-converted-space"> </span></b>EXTERNAL: Re: [Openid-specs-fapi] Re: XSS - FAPI/OpenID - query</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:1.0pt;color:white">My worry in case of current pattern From: Joseph Heenan <joseph@ authlete. com> Date: Friday, 16 June 2023 at 17: 31 To: Financial API Working Group List <openid-specs-fapi@ lists. openid. net>
Cc: Piotr M DROZD <piotr. m. drozd@ hsbc. com><span class="apple-converted-space"> </span></span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:1.0pt;color:white">ZjQcmQRYFpfptBannerStart</span><o:p></o:p></p>
</div>
</div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-radius: 4px">
<tbody>
<tr>
<td style="padding:12.0pt 0cm 12.0pt 0cm">
<table class="MsoNormalTable" border="1" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;background:#FCECA6;border:none;border-top:solid windowtext 3.0pt;border-color:currentcolor currentcolor;border-image: none">
<tbody>
<tr>
<td valign="top" style="border:none;padding:0cm 7.5pt 3.75pt 4.5pt">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" align="left">
<tbody>
<tr>
<td style="padding:3.0pt 6.0pt 3.0pt 6.0pt">
<div>
<p class="MsoNormal"><b><span style="font-size:10.5pt;font-family:"Arial",sans-serif">This Message Is From an External Sender</span></b><o:p></o:p></p>
</div>
</td>
</tr>
<tr>
<td style="padding:3.0pt 6.0pt 3.0pt 6.0pt">
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif">This message came from outside your organisation. The content & any attachments need to be treated with care and attention.</span><o:p></o:p></p>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<div>
<div>
<p class="MsoNormal"><span style="font-size:1.0pt;color:white">ZjQcmQRYFpfptBannerEnd</span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">My worry in case of current pattern</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm 0cm;border-color:currentcolor currentcolor;border-image: none">
<div>
<p class="MsoNormal"><b><span style="font-size:12.0pt">From:<span class="apple-converted-space"> </span></span></b><span style="font-size:12.0pt">Joseph Heenan <joseph@authlete.com><br>
<b>Date:<span class="apple-converted-space"> </span></b>Friday, 16 June 2023 at 17:31<br>
<b>To:<span class="apple-converted-space"> </span></b>Financial API Working Group List <openid-specs-fapi@lists.openid.net><br>
<b>Cc:<span class="apple-converted-space"> </span></b>Piotr M DROZD <piotr.m.drozd@hsbc.com><br>
<b>Subject:<span class="apple-converted-space"> </span></b>EXTERNAL: Re: [Openid-specs-fapi] XSS - FAPI/OpenID - query</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:1.0pt;color:white">Hi Piotr Thanks for your email. For info, the syntax for state is defined here: https: //www. rfc-editor. org/rfc/rfc6749#appendix-A. 5 If I have understood correctly, the issue you are raising
is that the RP may due to poor coding display values<span class="apple-converted-space"> </span></span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:1.0pt;color:white">ZjQcmQRYFpfptBannerStart</span><o:p></o:p></p>
</div>
</div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-radius: 4px">
<tbody>
<tr>
<td style="padding:12.0pt 0cm 12.0pt 0cm">
<table class="MsoNormalTable" border="1" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;background:#FCECA6;border:none;border-top:solid windowtext 3.0pt;border-color:currentcolor currentcolor;border-image: none">
<tbody>
<tr>
<td valign="top" style="border:none;padding:0cm 7.5pt 3.75pt 4.5pt">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" align="left">
<tbody>
<tr>
<td style="padding:3.0pt 6.0pt 3.0pt 6.0pt">
<div>
<p class="MsoNormal"><b><span style="font-size:10.5pt;font-family:"Arial",sans-serif">This Message Is From an Untrusted Sender</span></b><o:p></o:p></p>
</div>
</td>
</tr>
<tr>
<td style="padding:3.0pt 6.0pt 3.0pt 6.0pt">
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif">You have not previously corresponded with this sender.</span><o:p></o:p></p>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<div>
<div>
<p class="MsoNormal"><span style="font-size:1.0pt;color:white">ZjQcmQRYFpfptBannerEnd</span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal">Hi Piotr<span class="apple-converted-space"> </span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Thanks for your email.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">For info, the syntax for state is defined here:<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><a href="https://urldefense.com/v3/__https:/www.rfc-editor.org/rfc/rfc6749*appendix-A.5__;Iw!!LSAcJDlP!2EmCh3VXFjRePTUDoI0aA3Q1C1eMPSfPsVIru2Pyt1XhBwdkRu7YlA7k_RSovTBHK562C7e0328QCwPfD8c$">https://www.rfc-editor.org/rfc/rfc6749#appendix-A.5</a><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">If I have understood correctly, the issue you are raising is that the RP may due to poor coding display values passed in the URL query to it’s redirect url without proper escaping?<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">I do not seen what the OP can usefully do here, at least in the case of FAPI (where the state/nonce values are passed to the OP cryptographically signed and hence are known to have come from the RP).<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Thanks<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Joseph<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">On 16 Jun 2023, at 16:13, Piotr M DROZD via Openid-specs-fapi <openid-specs-fapi@lists.openid.net> wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span>Hi,<o:p></o:p></p>
</div>
</div>
<p style="margin-bottom:0cm;caret-color: rgb(0, 0, 0);font-variant-caps: normal;text-align:start;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica">As currently we do not have access to bitbucket to rise issue/queries I would like to seek members to rise below query/issue as a ticket that we can discuss on FAPI Weekly Working Group and reach
a common conclusion.</span><o:p></o:p></p>
<p style="margin-bottom:0cm;font-variant-caps: normal;text-align:start;-webkit-text-stroke-width: 0px;caret-color: rgb(0, 0, 0);word-spacing:0px">
<span style="font-size:9.0pt;font-family:Helvetica">In current specification of<span class="apple-converted-space"> </span></span><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica">FAPI/OpenID (both 1 draft 06, 1 final, and 2.0)<span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Helvetica">during<span class="apple-converted-space"> </span></span><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica">Authentication/Authorization
Request, RP (Relaying Party) can</span><span class="apple-converted-space"><span style="font-size:9.0pt;font-family:Helvetica"> </span></span><span style="font-size:9.0pt;font-family:Helvetica">sent state</span><span class="apple-converted-space"><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica"> </span></span><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica">and
nonce query<span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Helvetica">parameter<span class="apple-converted-space"> </span></span><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica">as</span><span class="apple-converted-space"><span style="font-size:9.0pt;font-family:Helvetica"> </span></span><span style="font-size:9.0pt;font-family:Helvetica">opaque
string value –<span class="apple-converted-space"> </span></span><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica">both parameters do not have any validation rules</span><span style="font-size:9.0pt;font-family:Helvetica">. According to OWASP<span class="apple-converted-space"> </span></span><span lang="PL" style="font-size:9.0pt;font-family:Helvetica"><a href="https://urldefense.com/v3/__https:/owasp.org/www-community/attacks/xss/__;!!LSAcJDlP!2EmCh3VXFjRePTUDoI0aA3Q1C1eMPSfPsVIru2Pyt1XhBwdkRu7YlA7k_RSovTBHK562C7e0328Qb6xvBp8$" title="https://owasp.org/www-community/attacks/xss/"><span lang="EN-US" style="color:#0563C1">https://owasp.org/www-community/attacks/xss/</span></a><span class="apple-converted-space"> </span></span><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica">t</span><span style="font-size:9.0pt;font-family:Helvetica">here
are cases whe</span><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica">n</span><span class="apple-converted-space"><span style="font-size:9.0pt;font-family:Helvetica"> </span></span><span style="font-size:9.0pt;font-family:Helvetica">query parameter
can be used for XSS attack. </span><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica">In case of Browser journey when RP (Relaying Party) is using server side based rendered html pages without proper parameter sanitization it is possible to
perform such an attack.<span class="apple-converted-space"> </span></span><o:p></o:p></p>
<p style="margin-bottom:0cm"><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica">I can walkthrough example code to demonstrate issue if further clarification will be required to understand Use Case.</span><o:p></o:p></p>
<p style="margin-bottom:0cm;font-variant-caps: normal;text-align:start;-webkit-text-stroke-width: 0px;caret-color: rgb(0, 0, 0);word-spacing:0px">
<span style="font-size:9.0pt;font-family:Helvetica">I would like to seek<span class="apple-converted-space"> </span></span><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica">your opinion:</span><o:p></o:p></p>
<ul style="margin-top:0cm;font-variant-caps: normal;text-align:start;-webkit-text-stroke-width: 0px;caret-color: rgb(0, 0, 0);word-spacing:0px" type="disc">
<li class="MsoNormal" style="mso-list:l1 level1 lfo3">Could<span class="apple-converted-space"> </span>OpenID Provider (OP)<span class="apple-converted-space"> </span>add protection layer for XSS which in the end will mean state<span lang="EN-US">,nonce</span><span class="apple-converted-space"> </span>parameter<span class="apple-converted-space"> </span><span lang="EN-US">could</span><span class="apple-converted-space"> </span>be
validated<span class="apple-converted-space"> </span><span lang="EN-US">against allowed<span class="apple-converted-space"> </span></span>Pattern<span class="apple-converted-space"> </span><span lang="EN-US">– example -<span class="apple-converted-space"> </span></span> ^[-\p{L}\p{N}./+=_
!$*?@%:,]{0,2000}$ or<span class="apple-converted-space"> </span>will this<span class="apple-converted-space"><span lang="EN-US"> </span></span><span lang="EN-US">break conformance to FAPI/OpenID<span class="apple-converted-space"> </span></span>specification
?<o:p></o:p></li><li class="MsoNormal" style="mso-list:l1 level1 lfo3">Should general OWASP protection rules become embedded inside<span class="apple-converted-space"> </span><span lang="EN-US">FAPI/OpenID</span><span class="apple-converted-space"> </span>specification ?<o:p></o:p></li></ul>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-family:"Arial",sans-serif;color:red">Piotr DROZD</span></b><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">Global Platform Lead – WSIT Open Banking</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">Wholesale IT l HSBC SERVICE DELIVERY(P</span><span lang="EN-US" style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">L</span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">)</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
</div>
</div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="margin-left:4.35pt;border-collapse:collapse">
<tbody>
<tr>
<td width="375" style="width:281.25pt;padding:.75pt .75pt .75pt .75pt">
<div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">______________________________________________________________</span><o:p></o:p></p>
</div>
</div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="99%" style="width:99.0%;margin-left:.25pt;border-collapse:collapse">
<tbody>
<tr>
<td width="17%" style="width:17.0%;padding:0cm 0cm 0cm 0cm">
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:red"> </span></b><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:red">Telephone:</span></b><o:p></o:p></p>
</div>
</div>
</td>
<td width="82%" style="width:82.0%;padding:0cm 0cm 0cm 0cm">
<div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">N/A</span><o:p></o:p></p>
</div>
</div>
</td>
</tr>
<tr>
<td width="17%" style="width:17.0%;padding:0cm 0cm 0cm 0cm">
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:red">Email:</span></b><o:p></o:p></p>
</div>
</div>
</td>
<td width="82%" style="width:82.0%;padding:0cm 0cm 0cm 0cm">
<div>
<div>
<p class="MsoNormal"><u><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:red"><a href="mailto:piotr.m.drozd@hsbc.com" title="mailto:piotr.m.drozd@hsbc.com"><span style="color:#954F72">piotr.m.drozd@hsbc.com</span></a></span></u><o:p></o:p></p>
</div>
</div>
</td>
</tr>
</tbody>
</table>
<div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D">______________________________________________________________</span><o:p></o:p></p>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Helvetica">-----------------------------------------<br>
SAVE PAPER - THINK BEFORE YOU PRINT!<br>
<br>
This E-mail is confidential.<span class="apple-converted-space"> </span><br>
<br>
It may also be legally privileged. If you are not the addressee you may not copy,<br>
forward, disclose or use any part of it. If you have received this message in error,<br>
please delete it and all copies from your system and notify the sender immediately by<br>
return E-mail.<br>
<br>
Internet communications cannot be guaranteed to be timely secure, error or virus-free.<br>
The sender does not accept liability for any errors or omissions.</span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Helvetica">_______________________________________________<br>
Openid-specs-fapi mailing list<br>
</span><a href="mailto:Openid-specs-fapi@lists.openid.net"><span style="font-size:9.0pt;font-family:Helvetica;color:#0563C1">Openid-specs-fapi@lists.openid.net</span></a><span style="font-size:9.0pt;font-family:Helvetica"><br>
</span><a href="https://urldefense.com/v3/__https:/lists.openid.net/mailman/listinfo/openid-specs-fapi__;!!LSAcJDlP!2EmCh3VXFjRePTUDoI0aA3Q1C1eMPSfPsVIru2Pyt1XhBwdkRu7YlA7k_RSovTBHK562C7e0328QQ5XgPtQ$"><span style="font-size:9.0pt;font-family:Helvetica;color:#0563C1">https://lists.openid.net/mailman/listinfo/openid-specs-fapi</span></a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">-----------------------------------------<br>
SAVE PAPER - THINK BEFORE YOU PRINT!<br>
<br>
This E-mail is confidential.<span class="apple-converted-space"> </span><br>
<br>
It may also be legally privileged. If you are not the addressee you may not copy,<br>
forward, disclose or use any part of it. If you have received this message in error,<br>
please delete it and all copies from your system and notify the sender immediately by<br>
return E-mail.<br>
<br>
Internet communications cannot be guaranteed to be timely secure, error or virus-free.<br>
The sender does not accept liability for any errors or omissions.<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Helvetica">-----------------------------------------<br>
SAVE PAPER - THINK BEFORE YOU PRINT!<br>
<br>
This E-mail is confidential.<span class="apple-converted-space"> </span><br>
<br>
It may also be legally privileged. If you are not the addressee you may not copy,<br>
forward, disclose or use any part of it. If you have received this message in error,<br>
please delete it and all copies from your system and notify the sender immediately by<br>
return E-mail.<br>
<br>
Internet communications cannot be guaranteed to be timely secure, error or virus-free.<br>
The sender does not accept liability for any errors or omissions.</span><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">-----------------------------------------<br>
SAVE PAPER - THINK BEFORE YOU PRINT!<br>
<br>
This E-mail is confidential. <br>
<br>
It may also be legally privileged. If you are not the addressee you may not copy,<br>
forward, disclose or use any part of it. If you have received this message in error,<br>
please delete it and all copies from your system and notify the sender immediately by<br>
return E-mail.<br>
<br>
Internet communications cannot be guaranteed to be timely secure, error or virus-free.<br>
The sender does not accept liability for any errors or omissions.<o:p></o:p></p>
</div>
</div>
<DIV>
-----------------------------------------<BR>
SAVE PAPER - THINK BEFORE YOU PRINT!<BR>
<BR>
This E-mail is confidential. <BR>
<BR>
It may also be legally privileged. If you are not the addressee you may not copy,<BR>
forward, disclose or use any part of it. If you have received this message in error,<BR>
please delete it and all copies from your system and notify the sender immediately by<BR>
return E-mail.<BR>
<BR>
Internet communications cannot be guaranteed to be timely secure, error or virus-free.<BR>
The sender does not accept liability for any errors or omissions.<BR>
</DIV></body>
</html>