- Gursev Singh Kalra Principal Consultant McAfee, Foundstone Professional Services

Transcription

1 Attacking OData - Gursev Singh Kalra Principal Consultant McAfee, Foundstone Professional Services

2 Agenda OData Primer Oyedata for OData Assessments OyedataDemonstrations Ofuzz Demonstration Attacking OData Services McAfee, 2012 Gursev Singh Kalra 2

3 ODATA PRIMER McAfee, 2012 Gursev Singh Kalra 3

4 Why OData? * McAfee, 2012 Gursev Singh Kalra 4

5 What is OData? Query and Update Data over the Web. JDBC/ODBC for the Internet Resources identified using Uniform Resource Identifiers (URIs) HTTP based RESTful data services Relies on PUT, POST, DELETE and GET methods Adopted by Microsoft, IBM, SAP etc McAfee, 2012 Gursev Singh Kalra 5

6 O -Overwhelming Open Data Protocol Service Metadata Document Entries and Entity Types EDMDataTypes, CSDL Service Document Service Operations Complex Types Feeds, more McAfee, 2012 Gursev Singh Kalra 6

7 Entity Types, Feeds & Service Doc Service Document Feed A Feed B Feed C EntityType A Entry 1 Entry 2 Entry N Entity Type B Entry 1 Entry 2 Entry N EntityType C Entry 1 Entry 2 Entry N McAfee, 2012 Gursev Singh Kalra 7

8 Building Blocks McAfee, 2012 Gursev Singh Kalra 8

9 Entity Type and Entry Entity Type Entry McAfee, 2012 Gursev Singh Kalra 9

10 Feeds Collection of Typed Entries An OData Service can have one ore more feeds Service Document lists all top-level Feeds McAfee, 2012 Gursev Singh Kalra 10

11 Service Document Service Root URI McAfee, 2012 Gursev Singh Kalra 11

12 Service Metadata Document *DNA*of an OData Service CSDL describes Data Model /$metadata McAfee, 2012 Gursev Singh Kalra 12

13 Service Operations Remotely Invoked Custom Functions Accept Primitive Data Via GET or POST Return primitives, complex types, feeds or a void * McAfee, 2012 Gursev Singh Kalra 13

14 OYEDATAAND OFUZZ * McAfee, 2012 Gursev Singh Kalra 14

15 FuzzingOData (One Entity) Service Metadata Document Fuzzing Template McAfee, 2012 Gursev Singh Kalra 15

16 Few OyedataFeatures McAfee, 2012 Gursev Singh Kalra 16

17 OYEDATADEMONSTRATIONS McAfee, 2012 Gursev Singh Kalra 17

18 OFUZZ DEMONSTRATION * McAfee, 2012 Gursev Singh Kalra 18

19 ATTACKING ODATASERVICES * McAfee, 2012 Gursev Singh Kalra 19

20 OData on Security No Security Specifications Based on HTTP, AtomPub, and JSON Security considerations for several technologies involved * McAfee, 2012 Gursev Singh Kalra 20

21 Enumeration Service Document Service Metadata Document Tools (Oyedata, Linqpad, etc ) HTTP Methods PUT and DELETE McAfee, 2012 Gursev Singh Kalra 21

22 HTTP Verb Tunneling Allows to tunnel HTTP methods with POST Can be abused to execute unauthorized verbs McAfee, 2012 Gursev Singh Kalra 22

23 Navigation Properties pliers(1)/products Can be used as a springboard to other Entry Type s additional data McAfee, 2012 Gursev Singh Kalra 23

24 System Query Options Control the amount and type of data returned by the OData service. $select, $format, $expand, $filter, $orderbyetc Assess like regular web application parameters McAfee, 2012 Gursev Singh Kalra 24

25 Assessing OData Operations Key Enumeration and Entry Access Individual Property Access Write and Update operations (POST& PUT) Delete operations (DELETE) Service Operations McAfee, 2012 Gursev Singh Kalra 25

26 Data Validation and Error Handling Can be performed as per regular WAPT Malformed JSON and XML requests Database Integrity Checks McAfee, 2012 Gursev Singh Kalra 26

27 Additional Considerations Access File Systems, Databases, CMS and others Framework Generates Tons of Dynamic Code SQLi, Remote File Access, XPathInjection and Framework Specific Vulnerabilities McAfee, 2012 Gursev Singh Kalra 27

28 Further Reading and References Official OData website Oyedata A Pentester s Guide to Hacking OData McAfee, 2012 Gursev Singh Kalra 28

29 McAfee, 2012 Gursev Singh Kalra 29

30 THANK YOU! McAfee, 2012 Gursev Singh Kalra 30