Open Banking Toolkit

A recent series of blogs gave an overview of Open Banking components and their introduction within the existing infrastructure, highlighted the assumptions of security responsibilities among the participants and the challenges this brings, and talked about the Read/Write API permission model, technical workflow and tooling required for a successful security assessment.

Building on these blog posts around Open Banking, we are releasing a couple of Open Banking specific tools as well as and Open Banking Burp Extension.

Message Signing & Authorisation Redirect

The first release includes two standalone implementations for:

The Open Banking message signing specification;
The authorisation redirect from a Third Party Provider (TPP) to a bank (ASPSP).

Along with mutual TLS, the Open Banking specification defines message signing as an additional measure to ensure non-repudiation for specific, sensitive API endpoints from both TPPs and ASPSPs.

The Open Banking signing algorithm stipulates a library compliant with RFC 7515 (critical headers) and RFC 7797 (un-encoded/detached payload). At the time of writing this blog post, the Jose4J Java library by Brian Campbell is one of the few that comply with both of the mentioned RFCs. We have packed the specification into a small user interface as shown below.

The next tool is used to generate the redirect of the end user to their bank to authenticate and authorise an access request. The redirection is specific to the access request and therefore needs to be generated for each consent journey. The small application allows easy configuration of the TPP and ASPSP specific settings and makes the generation of the redirect more user friendly.

For more information about using the tools, details about the requirements and features, see the project pages at:

Please look out for the next release for the Open Banking Burp Suite extension. We are currently finalising the release version.

The Open Banking tools have been released under the MIT license, by downloading you are agreeing to the terms of the license which can be found within the Github projects.

Burp Extension

The Open Banking Burp Extension offers the following tools for testing Open Banking implementations:

Manual and automatic message signing;
User redirect generator;
Authorisation token catcher.

Next to the features already offered with the standalone tools described above, Burp Suite allowed us to implement an easy way to automatically sign messages and listen for the authorisation code in the proxy requests.

Please refer to the project page for more information about the Burp Suite extension including details about the requirements, video demonstration and offered features:

https://github.com/ctxis/OpenBanking-BurpExtension

The Open Banking tools have been released under the MIT license, by downloading you are agreeing to the terms of the license which can be found within the Github projects.