Description

OData injection allows an attacker to manipulate the query parameters of an OData API (such as $filter, $orderby, etc.) to access, modify, or exfiltrate unauthorized data by exploiting insufficient validation or filtering.

Impact

- Exposure of sensitive data (users, emails, hashed passwords, etc.) - Bypass of access controls - Modification of data (in extreme cases) - Execution of unintended logic in the backend

Recommendation

- Validate and sanitize all OData parameters. - Restrict the allowed OData operators. - Use libraries that correctly implement OData parsing. - Enforce access control on the backend, without relying solely on client-side filters.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⏱️ 360 minutes.

Requirements

Fixes