What would be the process in pentesting a Silverlight application? What would be the best method to proceed in a manual test? Any specific tools use? For example an application with lot of file upload, user input fields and database connectivity (with and without ORM).
Asked
Active
Viewed 3,853 times
4
-
Has this answered your question? – Bernie White Nov 28 '11 at 20:15
-
Yes, I found it very useful. – Epoch Win Dec 19 '11 at 13:52
-
Great. Do you mind closing the question then? – Bernie White Dec 19 '11 at 19:49
1 Answers
7
If you are code reviewing then I would recommend that you use Microsoft Visual Studio Unit Tests (See http://silverlight.codeplex.com/ and http://weblogs.asp.net/scottgu/archive/2008/04/02/unit-testing-with-silverlight.aspx) or Nant to test the code. It is would be the most effective way to do these type of tests.
If you don’t have access to the source code and need to do external/blind tests then you should cover the following above normal web application testing.
Coverage
In Silverlight there are typically 3 areas that need to be tested over and above a normal web application:
- Deep linking
- Isolated Storage
- Back-end services
Deep Linking
Test for flaws in flow particularly authorization and data input.
Allows direct access to a page within Silverlight and could allow bypassing security such as authorization if authorization checks are only done at specific points.
For example: An application only checks authorisation on or just after the login screen, but application is deep linked to allow direct access to data read/write.
Isolated Storage
Same as any data storage tests however the special note is that it is client-side storage.
Questions such as:
- What can be stored in isolated storage?
- What can be overridden in isolated storage? For example, had the application stored files that can be overridden by the user?
- How is that presented back to the user?
Backend Services
In web application usage cases Silverlight will commonly form the top tier / front-end and a backend web service will be responsible for some sort of data handling / storage.
Because Silverlight is a client-side technology web services if they exist are exposed to the client to, which is different to the usual server-side web application which may not need to expose these at all.
Web services should be aggressively tested using automated and manual tools. The normal tests of content type, size constraints, and performance are important. Also some fuzzing would also be good. This all falls back to the generic web services testing is not Silverlight specific.
Tools
First Floor's Silverlight Spy can aid in investigating the isolated storage issues: http://firstfloorsoftware.com/silverlightspy/download-silverlight-spy/
It is also sometimes helpful to review the xbap code of the app using ILSpy or .Net Reflector: http://wiki.sharpdevelop.net/ILSpy.ashx
Try these for web services:
Are there any tools for automated penetration testing of Silverlight applications?
https://www.owasp.org/index.php/Fuzzing
Hope this helps.
Bernie White
- 2,866
- 17
- 18