OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

odata message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [OASIS Issue Tracker] (ODATA-626) Security:services should consider what media types they support


Michael Pizzo created ODATA-626:
-----------------------------------

             Summary: Security:services should consider what media types they support
                 Key: ODATA-626
                 URL: https://tools.oasis-open.org/issues/browse/ODATA-626
             Project: OASIS Open Data Protocol (OData) TC
          Issue Type: Task
          Components: Securing Open Data
    Affects Versions: V4.0_WD01
         Environment: [Proposed]
            Reporter: Michael Pizzo
             Fix For: V4.0_WD01


OData supports serving arbitrary media types stored in media entities streams, streamed properties, and binary properties that can be retrieved in their native format using $value.

While this is certainly useful, for example in serving pictures directly from the ODataURL, there is a risk that this may be abused by attackers, for example by uploading ‘text/html’ content which contains a Cross-Site-Scripting payload. Once a user views this payload, it can then be used to make arbitrary OData calls and exfiltrate data, possibly crossing an intranet/internet boundary.






--
This message was sent by Atlassian JIRA
(v6.1.1#6155)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]