Ability for AS to reject requests that have suspicious state/nonce or other params
Issue #610
open
As issue was raised via email about whether it was acceptable for an AS to reject requests that have suspicious state or nonce values. .e.g with a <script> tag or something similar.
Although the AS shouldn’t be processing such values, the worry was that by not blocking such requests, the AS may be facilitating a XSS attack..
We discussed on the call today that:
- Nothing is stopping an AS blocking requests that it considers suspicious, e.g. with a <script tag
- An AS must not wholesale block certain characters, e.g. “<“ - the AS should accept any random state/nonce value that complies with the underlying specs. The conformance suite generated random values for state and nonce.
Please chime in if you have any other view on the above
Comments (4)
-
-
- changed component to FAPI 1: Baseline
-
- changed component to Implementation & Deployment Advice
There is no guidance on state length etc. and thus for the certification test.
Changed the component to Implementation & Deployment Advice.
-
- changed status to open
- Log in to comment
The max we can do with a spec may be to explicitly state that AS can stop processing when it sees a suspicious authorisation request as malformed.
This is true for any of the known attacks, e.g. that are listed in OWASP guidelines, and that is what is expected even now, but since the question came in as a clarification request on the conformance suite, we may as well state it.