[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (ODATA-626) Security:services should consider what media types they support
[ https://tools.oasis-open.org/issues/browse/ODATA-626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Pizzo updated ODATA-626:
--------------------------------
Description:
OData supports serving arbitrary media types stored in media entities streams, streamed properties, and binary properties that can be retrieved in their native format using $value.
While this is certainly useful, for example in serving pictures directly from the ODataURL, there is a risk that this may be abused by attackers, for example by uploading ‘text/html’ content which contains a Cross-Site-Scripting payload. Once a user views this payload, it can then be used to make arbitrary OData calls and exfiltrate data, possibly crossing an intranet/internet boundary.
In general, anything that returns a content type of the client choice (as text/html, javascript, etc.) may cause typical web application attacks.
was:
OData supports serving arbitrary media types stored in media entities streams, streamed properties, and binary properties that can be retrieved in their native format using $value.
While this is certainly useful, for example in serving pictures directly from the ODataURL, there is a risk that this may be abused by attackers, for example by uploading ‘text/html’ content which contains a Cross-Site-Scripting payload. Once a user views this payload, it can then be used to make arbitrary OData calls and exfiltrate data, possibly crossing an intranet/internet boundary.
Proposal: Describe the potential for cross-site-scripting attacks when serving arbitrary media types and recommend that services carefully consider the media types they allow, for example by whitelisting expected media types (i.e., restrict to image/* if you are expecting an image). Note that services can report their set of supported types using the Core.AcceptableMediaTypes annotation. (was: Describe the potential for cross-site-scripting attacks when serving arbitrary media types and recommend that services carefully consider the media types they allow, for example by whitelisting expected media types. Services can report their set of supported types using the Core.AcceptableMediaTypes annotation.)
> Security:services should consider what media types they support
> ---------------------------------------------------------------
>
> Key: ODATA-626
> URL: https://tools.oasis-open.org/issues/browse/ODATA-626
> Project: OASIS Open Data Protocol (OData) TC
> Issue Type: Task
> Components: Securing Open Data
> Affects Versions: V4.0_WD01
> Environment: [Proposed]
> Reporter: Michael Pizzo
> Fix For: V4.0_WD01
>
>
> OData supports serving arbitrary media types stored in media entities streams, streamed properties, and binary properties that can be retrieved in their native format using $value.
> While this is certainly useful, for example in serving pictures directly from the ODataURL, there is a risk that this may be abused by attackers, for example by uploading ‘text/html’ content which contains a Cross-Site-Scripting payload. Once a user views this payload, it can then be used to make arbitrary OData calls and exfiltrate data, possibly crossing an intranet/internet boundary.
> In general, anything that returns a content type of the client choice (as text/html, javascript, etc.) may cause typical web application attacks.
--
This message was sent by Atlassian JIRA
(v6.1.1#6155)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]