Inaccurate Design

SANS GWAPT Day 3: Client Side Discovery

Wednesday, 15 May 2013


  • can attack communications between client side apps and the server

    • communications in both directions
    • Generally use [Burp]() for this
    • bypassess any client side validation
  • Can fuzz communications on some fields to see if we can break the app (client or server)

  • Can attempt to inject code into these fields and see if it’s reflected in the app

    • ie. inject javascript into the JSON code
  • Apps might send more data than is needed, and is filtered by the client app.

  • [RatProxy]() is a passive scanner

Web Services

  • Also potentially admin interfaces exposed for the Web Service

  • WSDL files outlines the functions and syntax available

    • normally an XML file in a standard format
  • Web Services can use SOAP and REST

    • REST is similar to HTTP, we can test that as normal
  • Entities are user defined shortcuts

    • include the entity definitions in the DOCTYPE of the XML file

    • Definition

Use with: &isc;
  • External entities allow for embedded documents
    • both local and remote

Use with &pass;

XPath Injection

  • Similar to SQL injection, but for XML

    • can trick application into parsing input data

    • Expected input: Brenna

    • Attacker Input: Brenna” or “*”=

SOAP Tools

  • [SOAPUI]() can be used to do functional and performance testing

  • SOAPUI can parse WSDL and create test cases

    • By default SOAPUI has a proxy defined which will cause errors if you don’t have one set up
  • Once you’ve got a test case, can use Burp to fuzz parameters

  • Alternatively, you can use WSFuzzer (command line only) to fuzz parameters ll

    Client Side coding

  • Includes

    • ActiveX
    • Flash
    • Java
    • Silverlight
  • Flash files conprise of

    • .SWF file - compiled flash application
    • .FLV file - flash video files
    • .AS file - contain Activescript source code (similar in concept to .js files)
    • Can sometimes find the source files in the same directory as the SWF file
  • Flash doesn’t have to comply to regular SameOrign policies

    • has it’s own implementation of the same concept called Cross Domain policy
    • introduced in Flash 7
    • set up in crossdomain.xml (not in the flash file, but in the directory with the SWF, or the webroot, etc (decided by the site-control policy))
    • controls what servers are allowed to access content FROM this domain
  • Decompiling Flash objects

    • sometimes protected, sometimes not
    • [Flare]() can be used to decompile SWF files
    • [SWFScan]() is a HP tool that can download and decompile flash apps, then check for security vulnerabilities