The Open Data Protocol (OData) is an open web protocol for
querying and updating data. OData enables the creation of HTTP based
RESTful data services that can be used
to publish and edit resources with simple HTTP messages. OData is intended to be used to expose and
access information from a variety of sources including relational databases,
file systems, content management systems, and traditional web sites. It allows
a consumer to query a data source over HTTP protocol and get results back in
formats like Atom, JSON or plain XML. OData can be termed as JDBC/ODBC for the
The protocol is relatively new and is being adopted by many
major software manufacturers such as Microsoft, IBM, and SAP but hasn’t been
publically explored in terms of security. As more applications, websites, and
frameworks support OData, a larger attack surface becomes available to
Oyedata is a new tool to perform black-box OData security
testing and help secure OData deployments. I wrote Oyedata from a penetration testing perspective and its the major features are
GUI based tool written in C#.
to create attack templates from local and remote Service Documents and Service
for XML and JSON data formats.
to export attack templates in JSON and XML formats that can be fed to custom
to engage the OData services for manual testing.
generator for EDMSimpleType test data generation.
to generate “Read URIs” for Entities, Entity Properties and Entity Property
8. Ability to
generate attack templates for Creation of new Entries, updating existing
Entries, Service Operation invocation, Entry deletion etc…
to identify Keys, Nullable and Non-Nullable Properties and indicate the same in
the attack templates.
proxy, HTTP and HTTPS support and Error logging.
|Image shows Oyedata retrieving an OData Service Metadata document |
|Image shows various Create, Read, Delete and Update operations of the “Categories” Feed along with the supported Service Operation nodes
The tool is now available for download from McAfee website from this
URL. Please send in your suggestions and feedback.