[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (ODATA-628) Security: Service implementors should consider timing-based information leakage attacks
Michael Pizzo created ODATA-628: ----------------------------------- Summary: Security: Service implementors should consider timing-based information leakage attacks Key: ODATA-628 URL: https://tools.oasis-open.org/issues/browse/ODATA-628 Project: OASIS Open Data Protocol (OData) TC Issue Type: Task Components: Securing Open Data Affects Versions: V4.0_WD01 Environment: [Proposed] Reporter: Michael Pizzo Fix For: V4.0_WD01 If OData is used in a web application scenario, information about existence of OData endpoints may leak using time sidechannels. The attack scenario is as follows: an attacker forces a victim to load an OData resource in his browser (for example using an <img> or <iframe> tag) and times how long the loading takes. It is thus possible for the attack to observe whether an empty/401 response (small) or a 200 response with a certain payload size (“big”) was returned. Combined with the powerful OData syntax ($filter, contains() etc.), iterated requests may be used to leak information. -- This message was sent by Atlassian JIRA (v6.1.1#6155)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]