Uploaded image for project: 'OASIS Open Data Protocol (OData) TC'
  1. OASIS Open Data Protocol (OData) TC
  2. ODATA-627

Security: Returning 404 (Not Found) versus 401 (unauthorized) could leak information

    XMLWordPrintable

    Details

    • Type: Task
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: V4.0_WD01
    • Fix Version/s: CN01
    • Component/s: Securing OData
    • Labels:
      None
    • Environment:

      [Proposed]

    • Proposal:
      Hide

      Clarify that the 401 unauthorized response is valid on any request, and that authorization should be checked before any further processing of any request, including 404 not found.

      Show
      Clarify that the 401 unauthorized response is valid on any request, and that authorization should be checked before any further processing of any request, including 404 not found.

      Description

      If an unauthorized attacker can query a particular user and receive a 404 if the user does not exist, there is a potential for information leakage.

      In general, security checks should always take place before any other processing, and 401 should be valid a valid response to any request.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mikep Michael Pizzo
            • Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: