[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (ODATA-628) Security: Service implementors should consider timing-based information leakage attacks
Michael Pizzo created ODATA-628:
-----------------------------------
Summary: Security: Service implementors should consider timing-based information leakage attacks
Key: ODATA-628
URL: https://tools.oasis-open.org/issues/browse/ODATA-628
Project: OASIS Open Data Protocol (OData) TC
Issue Type: Task
Components: Securing Open Data
Affects Versions: V4.0_WD01
Environment: [Proposed]
Reporter: Michael Pizzo
Fix For: V4.0_WD01
If OData is used in a web application scenario, information about existence of OData endpoints may leak using time sidechannels. The attack scenario is as follows: an attacker forces a victim to load an OData resource in his browser (for example using an <img> or <iframe> tag) and times how long the loading takes. It is thus possible for the attack to observe whether an empty/401 response (small) or a 200 response with a certain payload size (“big”) was returned. Combined with the powerful OData syntax ($filter, contains() etc.), iterated requests may be used to leak information.
--
This message was sent by Atlassian JIRA
(v6.1.1#6155)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]