Tuesday, June 12, 2012

Oyedata for OData Security Assessments


The Open Data Protocol (OData) is an open web protocol for querying and updating data. OData enables the creation of HTTP based RESTful  data services that can be used to publish and edit resources with simple HTTP messages.  OData is intended to be used to expose and access information from a variety of sources including relational databases, file systems, content management systems, and traditional web sites. It allows a consumer to query a data source over HTTP protocol and get results back in formats like Atom, JSON or plain XML. OData can be termed as JDBC/ODBC for the internet.

The protocol is relatively new and is being adopted by many major software manufacturers such as Microsoft, IBM, and SAP but hasn’t been publically explored in terms of security. As more applications, websites, and frameworks support OData, a larger attack surface becomes available to attackers.

Oyedata is a new tool to perform black-box OData security testing and help secure OData deployments. I wrote Oyedata from a penetration testing perspective and its the major features are summarized below:
1.     Intuitive GUI based tool written in C#.
2.     Ability to create attack templates from local and remote Service Documents and Service Metadata Documents.
3.     Support for XML and JSON data formats.
4.     Ability to export attack templates in JSON and XML formats that can be fed to custom Fuzzing code.
5.     Ability to engage the OData services for manual testing.
6.     Data generator for EDMSimpleType test data generation.
7.     Ability to generate “Read URIs” for Entities, Entity Properties and Entity Property Values.
8.     Ability to generate attack templates for Creation of new Entries, updating existing Entries, Service Operation invocation, Entry deletion etc…
9.     Ability to identify Keys, Nullable and Non-Nullable Properties and indicate the same in the attack templates.
10.  Web proxy, HTTP and HTTPS support and Error logging.


Image shows Oyedata retrieving an OData Service Metadata document 


Image shows various Create, Read, Delete and Update operations of the “Categories” Feed along with the supported Service Operation nodes

The tool is now available for download from McAfee website from this URL. Please send in your suggestions and feedback.

8 comments:

Anonymous said...

It is a very good article on this Odata security testing. My knowledge on Odata is premitive however, I understand the essance of this tool. thank you for sharing it. Please update it accordingly with the latest updates on the tool and the working methodology.

Gursev Singh Kalra said...

@Anonymous, thank you. Glad you liked the tool and the methodology.

SanT said...

I have been using oyedata recently for testing an odata service. But eventually getting errors when I tried to send any type of request.

6/17/2015 5:01:52 PM
System.InvalidOperationException: This operation cannot be performed after the request has been submitted.
at System.Net.HttpWebRequest.set_Proxy(IWebProxy value)
at Oyedata.OyeWebCommEngine.createAndFireWebRequest()
at Oyedata.OyeWebCommEngine.GetResponse(Object sender, DoWorkEventArgs e)

Not sure what was the problem

Gursev Singh Kalra said...

@SanT it appears to be an issue with the web proxy in use. Did you try providing credentials for the same?

Unknown said...

Hi there,

I am excited to use Oyedata in my testing. I've run into an error however: "The XML document did not have any Schema element." I can see however, in the response that is coming back that a schema element is present in the XML. Have you encountered this before?

Thanks!

Gursev Singh Kalra said...

@Unknown thank you for your message. Unfortunately, I no longer have access to Oyedata source code and cannot help. Sorry.

Anonymous said...

Hi Gursev! When was Oyedata version 1.0 released?

Anonymous said...

I am getting "The XML document did not have any Schema element." error when trying to load the service metadata document by passing the URI. Anyone got solution to this?