[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (ODATA-627) Security: Returning 404 (Not Found) versus 401 (unauthorized) could leak information
Michael Pizzo created ODATA-627: ----------------------------------- Summary: Security: Returning 404 (Not Found) versus 401 (unauthorized) could leak information Key: ODATA-627 URL: https://tools.oasis-open.org/issues/browse/ODATA-627 Project: OASIS Open Data Protocol (OData) TC Issue Type: Task Components: Securing Open Data Affects Versions: V4.0_WD01 Environment: [Proposed] Reporter: Michael Pizzo Fix For: V4.0_WD01 If an unauthorized attacker can query a particular user and receive a 404 if the user does not exist, there is a potential for information leakage. In general, security checks should always take place before any other processing, and 401 should be valid a valid response to any request. -- This message was sent by Atlassian JIRA (v6.1.1#6155)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]