Abstract

OData is a new data access protocol that is being adopted by many major software manufacturers such as Microsoft, IBM, and SAP but hasn’t been publically explored in terms of security. OData aims to provide a consistent access mechanism for data access from a variety of sources including but not limited to, relational databases, file systems, content management systems, and traditional web sites. I will be presenting and releasing a new tool that can be used to assess OData implementations. Tool features include:

Intuitive GUI based tool written in C#. Ability to create attack templates from local and remote Service Documents and Service Metadata Documents. Ability to generate attack templates for Creation of new Entries, updating existing Entries, Service Operation invocation, Entry deletion etc… Ability to export attack templates in JSON and XML formats that can be fed to custom Fuzzers. Support for XML and JSON data formats. Ability to engage the OData services for manual testing. Data generator for EDMSimpleType test data generation. Ability to generate “Read URIs” for Entities, Entity Properties and Entity Property Values. Ability to identify Keys, Nullable and Non-Nullable Properties and indicate the same in the attack templates. Web proxy, HTTP and HTTPS support.