OData is a new data access protocol that is being adopted by many major software manufacturers such as Microsoft, IBM, and SAP but hasn’t been publically explored in terms of security. OData aims to provide a consistent access mechanism for data access from a variety of sources including but not limited to, relational databases, file systems, content management systems, and traditional web sites.
Meeting Gursev just before the Arsenal Show, where he demonstrates a pentesting tool for OData Protocol. Gursev is a nice gifted pentester & hacker. OData Assessment is very uncommon and there is no tool out there except the one (Oyedata) crafted by Gursev as an effort to share and to help.
Oyedata Tool features include:
- Intuitive GUI based tool written in C#.
- Ability to create attack templates from local and remote Service Documents and Service Metadata Documents.
- Ability to generate attack templates for Creation of new Entries, updating existing Entries, Service Operation invocation, Entry deletion etc…
- Ability to export attack templates in JSON and XML formats that can be fed to custom Fuzzers.
- Support for XML and JSON data formats.
- Ability to engage the OData services for manual testing.
- Data generator for EDMSimpleType test data generation.
- Ability to generate “Read URIs” for Entities, Entity Properties and Entity Property Values.
- Ability to identify Keys, Nullable and Non-Nullable Properties and indicate the same in the attack templates.
- Web proxy, HTTP and HTTPS support.
Next ToolsTube with Gursev Kalra