The Open Data Protocol (OData) is an open web protocol for
querying and updating data. OData enables the creation of HTTP based
RESTful data services that can be used
to publish and edit resources with simple HTTP messages. OData is intended to be used to expose and
access information from a variety of sources including relational databases,
file systems, content management systems, and traditional web sites. It allows
a consumer to query a data source over HTTP protocol and get results back in
formats like Atom, JSON or plain XML. OData can be termed as JDBC/ODBC for the
internet.
The protocol is relatively new and is being adopted by many
major software manufacturers such as Microsoft, IBM, and SAP but hasn’t been
publically explored in terms of security. As more applications, websites, and
frameworks support OData, a larger attack surface becomes available to
attackers.
Oyedata is a new tool to perform black-box OData security
testing and help secure OData deployments. I wrote Oyedata from a penetration testing perspective and its the major features are
summarized below:
1. Intuitive
GUI based tool written in C#.
2. Ability
to create attack templates from local and remote Service Documents and Service
Metadata Documents.
3. Support
for XML and JSON data formats.
4. Ability
to export attack templates in JSON and XML formats that can be fed to custom
Fuzzing code.
5. Ability
to engage the OData services for manual testing.
6. Data
generator for EDMSimpleType test data generation.
7. Ability
to generate “Read URIs” for Entities, Entity Properties and Entity Property
Values.
8. Ability to
generate attack templates for Creation of new Entries, updating existing
Entries, Service Operation invocation, Entry deletion etc…
9. Ability
to identify Keys, Nullable and Non-Nullable Properties and indicate the same in
the attack templates.
10. Web
proxy, HTTP and HTTPS support and Error logging.
 |
| Image shows Oyedata retrieving an OData Service Metadata document |
 |
| Image shows various Create, Read, Delete and Update operations of the “Categories” Feed along with the supported Service Operation nodes |
The tool is now available for download from McAfee website from this URL. Please send in your suggestions and feedback.
