The Open Data Protocol (OData) is an open web protocol for
querying and updating data. OData enables the creation of HTTP based
RESTful data services that can be used
to publish and edit resources with simple HTTP messages. OData is intended to be used to expose and
access information from a variety of sources including relational databases,
file systems, content management systems, and traditional web sites. It allows
a consumer to query a data source over HTTP protocol and get results back in
formats like Atom, JSON or plain XML. OData can be termed as JDBC/ODBC for the
internet.
The protocol is relatively new and is being adopted by many
major software manufacturers such as Microsoft, IBM, and SAP but hasn’t been
publically explored in terms of security. As more applications, websites, and
frameworks support OData, a larger attack surface becomes available to
attackers.
Oyedata is a new tool to perform black-box OData security
testing and help secure OData deployments. I wrote Oyedata from a penetration testing perspective and its the major features are
summarized below:
1. Intuitive
GUI based tool written in C#.
2. Ability
to create attack templates from local and remote Service Documents and Service
Metadata Documents.
3. Support
for XML and JSON data formats.
4. Ability
to export attack templates in JSON and XML formats that can be fed to custom
Fuzzing code.
5. Ability
to engage the OData services for manual testing.
6. Data
generator for EDMSimpleType test data generation.
7. Ability
to generate “Read URIs” for Entities, Entity Properties and Entity Property
Values.
8. Ability to
generate attack templates for Creation of new Entries, updating existing
Entries, Service Operation invocation, Entry deletion etc…
9. Ability
to identify Keys, Nullable and Non-Nullable Properties and indicate the same in
the attack templates.
10. Web
proxy, HTTP and HTTPS support and Error logging.
 |
| Image shows Oyedata retrieving an OData Service Metadata document |
 |
| Image shows various Create, Read, Delete and Update operations of the “Categories” Feed along with the supported Service Operation nodes |
The tool is now available for download from McAfee website from this URL. Please send in your suggestions and feedback.
8 comments:
It is a very good article on this Odata security testing. My knowledge on Odata is premitive however, I understand the essance of this tool. thank you for sharing it. Please update it accordingly with the latest updates on the tool and the working methodology.
@Anonymous, thank you. Glad you liked the tool and the methodology.
I have been using oyedata recently for testing an odata service. But eventually getting errors when I tried to send any type of request.
6/17/2015 5:01:52 PM
System.InvalidOperationException: This operation cannot be performed after the request has been submitted.
at System.Net.HttpWebRequest.set_Proxy(IWebProxy value)
at Oyedata.OyeWebCommEngine.createAndFireWebRequest()
at Oyedata.OyeWebCommEngine.GetResponse(Object sender, DoWorkEventArgs e)
Not sure what was the problem
@SanT it appears to be an issue with the web proxy in use. Did you try providing credentials for the same?
Hi there,
I am excited to use Oyedata in my testing. I've run into an error however: "The XML document did not have any Schema element." I can see however, in the response that is coming back that a schema element is present in the XML. Have you encountered this before?
Thanks!
@Unknown thank you for your message. Unfortunately, I no longer have access to Oyedata source code and cannot help. Sorry.
Hi Gursev! When was Oyedata version 1.0 released?
I am getting "The XML document did not have any Schema element." error when trying to load the service metadata document by passing the URI. Anyone got solution to this?
Post a Comment