Skip to content

Pentesting Silverlight Applications

July 6, 2012

These are some of the tools / techniques which helped me to pentest a Silverlight application recently:

  • .NET Reflector / Silverlight Spy = These are great for decompiling .xap files stored on the client side. One can look for hardcoded credentials or any piece of code which might help in better understanding of the functionality of the Silverlight application.
  • Soap UI = This is again a great tool to play with web services. If it is a Silverlight application, there is a great chance it is making some interesting web service calls to the server. In my case, this wasn’t really of much help because the application under testing was using Microsoft Binary encoding (content-type = application/soap+msbin1) for SOAP messages and SOAP UI does not presently support this.
  • Clientaccesspolicy.xml =  If you are pentesting a Silverlight application, you have to look at the Clientaccesspolicy.xml for cross domain access.
  • Isolated Storage = Check for isolated storage when decompiling the .xap file. You might find something interesting there.
  • Burp/Fiddler plugins = For the above Microsoft Binary encoding formats, Burp and Fiddler have some interesting plugins. With the Fiddler plugin, although I wasn’t able to fiddle with the SOAP requests/responses, I was able to see what was going on with the web service calls in a very user friendly format. With Burp, you have to chain two burp instances to be able to intercept the request and responses.
  • WSDL = Observe the web services being called by using any proxy tool (Burp, Fiddler, etc). Look for their WSDL files and discover some interesting stuff.

From → Security

  1. Desi Sec permalink

    This is very useful stuff, Thanks Anshuman !

Trackbacks & Pingbacks

  1. Tools for Testing of Silverlight Applications | SecureNet Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: