Tuesday, June 12, 2012

Oyedata for OData Security Assessments

The Open Data Protocol (OData) is an open web protocol for querying and updating data. OData enables the creation of HTTP based RESTful  data services that can be used to publish and edit resources with simple HTTP messages.  OData is intended to be used to expose and access information from a variety of sources including relational databases, file systems, content management systems, and traditional web sites. It allows a consumer to query a data source over HTTP protocol and get results back in formats like Atom, JSON or plain XML. OData can be termed as JDBC/ODBC for the internet.

The protocol is relatively new and is being adopted by many major software manufacturers such as Microsoft, IBM, and SAP but hasn’t been publically explored in terms of security. As more applications, websites, and frameworks support OData, a larger attack surface becomes available to attackers.

Oyedata is a new tool to perform black-box OData security testing and help secure OData deployments. I wrote Oyedata from a penetration testing perspective and its the major features are summarized below:
1.     Intuitive GUI based tool written in C#.
2.     Ability to create attack templates from local and remote Service Documents and Service Metadata Documents.
3.     Support for XML and JSON data formats.
4.     Ability to export attack templates in JSON and XML formats that can be fed to custom Fuzzing code.
5.     Ability to engage the OData services for manual testing.
6.     Data generator for EDMSimpleType test data generation.
7.     Ability to generate “Read URIs” for Entities, Entity Properties and Entity Property Values.
8.     Ability to generate attack templates for Creation of new Entries, updating existing Entries, Service Operation invocation, Entry deletion etc…
9.     Ability to identify Keys, Nullable and Non-Nullable Properties and indicate the same in the attack templates.
10.  Web proxy, HTTP and HTTPS support and Error logging.

Image shows Oyedata retrieving an OData Service Metadata document 

Image shows various Create, Read, Delete and Update operations of the “Categories” Feed along with the supported Service Operation nodes

The tool is now available for download from McAfee website from this URL. Please send in your suggestions and feedback.