Uploaded image for project: 'OASIS Open Data Protocol (OData) TC'
  1. OASIS Open Data Protocol (OData) TC
  2. ODATA-628

Security: Service implementors should consider timing-based information leakage attacks

    XMLWordPrintable

    Details

    • Type: Task
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: V4.0_WD01
    • Fix Version/s: CN01
    • Component/s: Securing OData
    • Labels:
      None
    • Environment:

      [Proposed]

    • Proposal:
      Hide

      Describe this possible vulnerability from "automated requests". This attack is mitigated by the attacker having to know (or guess) the presence, address, and schema of the internal service.

      Show
      Describe this possible vulnerability from "automated requests". This attack is mitigated by the attacker having to know (or guess) the presence, address, and schema of the internal service.

      Description

      If OData is used in a web application scenario, information about existence of OData endpoints may leak using time sidechannels. The attack scenario is as follows: an attacker forces a victim to load an OData resource in his browser (for example using an <img> or <iframe> tag) and times how long the loading takes. It is thus possible for the attack to observe whether an empty/401 response (small) or a 200 response with a certain payload size (“big”) was returned. Combined with the powerful OData syntax ($filter, contains() etc.), iterated requests may be used to leak information.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mikep Michael Pizzo (Inactive)
            • Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: