OData is a new data access protocol that is being adopted by many major software manufacturers such as Microsoft, IBM, and SAP but hasn’t been publically explored in terms of security. This presentation dissects the OData protocol and explores the potential areas of weakness. I’ll give an attack and penetration testing perspective of OData and release a new Ruby based tool that can be used to create OData fuzzing templates.
This talk assumes no prior OData knowledge and makes the OData penetration testing concepts easy to understand. The approach is to start with a single read URI, just like a black box penetration test and builds on concepts. OData attack and penetration testing aspects will be discussed along with OData concepts and potentially unique OData vulnerabilities that may come into play with OData implementations. A new Ruby based tool to generate OData fuzzing templates will also be released. Additionally, OData assessment tool Oyedata will be demonstrated.