[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (ODATA-627) Security: Returning 404 (Not Found) versus 401 (unauthorized) could leak information
Michael Pizzo created ODATA-627:
-----------------------------------
Summary: Security: Returning 404 (Not Found) versus 401 (unauthorized) could leak information
Key: ODATA-627
URL: https://tools.oasis-open.org/issues/browse/ODATA-627
Project: OASIS Open Data Protocol (OData) TC
Issue Type: Task
Components: Securing Open Data
Affects Versions: V4.0_WD01
Environment: [Proposed]
Reporter: Michael Pizzo
Fix For: V4.0_WD01
If an unauthorized attacker can query a particular user and receive a 404 if the user does not exist, there is a potential for information leakage.
In general, security checks should always take place before any other processing, and 401 should be valid a valid response to any request.
--
This message was sent by Atlassian JIRA
(v6.1.1#6155)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]