[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (ODATA-626) Security:services should consider what media types they support
Michael Pizzo created ODATA-626: ----------------------------------- Summary: Security:services should consider what media types they support Key: ODATA-626 URL: https://tools.oasis-open.org/issues/browse/ODATA-626 Project: OASIS Open Data Protocol (OData) TC Issue Type: Task Components: Securing Open Data Affects Versions: V4.0_WD01 Environment: [Proposed] Reporter: Michael Pizzo Fix For: V4.0_WD01 OData supports serving arbitrary media types stored in media entities streams, streamed properties, and binary properties that can be retrieved in their native format using $value. While this is certainly useful, for example in serving pictures directly from the ODataURL, there is a risk that this may be abused by attackers, for example by uploading ‘text/html’ content which contains a Cross-Site-Scripting payload. Once a user views this payload, it can then be used to make arbitrary OData calls and exfiltrate data, possibly crossing an intranet/internet boundary. -- This message was sent by Atlassian JIRA (v6.1.1#6155)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]