Tools for Testing of Silverlight Applications

Silverlight is a proprietary application framework created by Microsoft in 2007. Its purpose is similar to Flash by Adobe and enables the creation of Rich Internet Applications. Silverlight is available as Plug-In for different browsers (Chrome, Firefox and Internet Explorer) on the Windows and Mac OS platform [1].

In security assessments you might get in touch with an application that is completely implemented in Silverlight. This post shows you some basic tests that can be executed and some tools you can use during an assessment.

Burp Plugins

There are two Plugins available for Burp. In 2011 GDSSecurity published a plugin in Java that is able to encode and decode WCF Binary SOAP data („Content-Type: application/soap+msbin1”) [2].  This plugin is still working in Burp 1.6.03 but the setup does need two instances of Burp connected in series if you want to edit request or response data. This is due to the fact that the plugin can only be used for encoding or decoding in one Burp instance. Therefore one Burp needs to decode the request, then you can edit the request, sent it to the next Burp that will encode the request again as WCF Binary SOAP data. The plugin can be used if you execute the following command within the directory of the plugin to start Burp:

java -Xmx512m -classpath BurpExtender.jar;.<path to burp>\burpsuite_pro_v1.6.03.jar burp.StartBurp

In 2013 Nick Coblentz released a Python plugin for Burp that extended the work done by GDSSecurity so that only one instance of Burp is needed to edit the response and request of Silverlight requests [3]. Before loading the plugin, the location of the Python environment for Java (Jython) needs to be set within in Burp, therefore you need to navigate to „Extender/Options/Pyhton Environment“.  You should download Jython 2.7beta in this case as Jython 2.5 is missing a module that the plugin is using [4]. As next step you can easily load the Pyhton script in Burp via „Extender/Burp Extensions/Add“ and after the plugin has loaded the request and response with „Content-Type: application/soap+msbin1“ will be decoded.

Fiddler

If you are using Fiddler, there is also a third-party extension that can be used to read and modify WCF binary messages that are used by Silverlight. You can download either the extension for Fiddler 2 or Fiddler 4 or modify the source and compile it yourself, as the whole source code is also available [5].

Silverlight Spy / XAML Spy

Besides attacking the communication by using an interception proxy like Burp or Fiddler, there is a tool dedicated for testing Silverlight applications called XAML Spy [6], the successor of Silverlight Spy [7]. In conjunction with .NET Reflector or other third-party decompiler tools it is possible to decompile Silverlight applications, like an application running in the browser or an offline application that is stored on client-side.

Silverlight Spy can be downloaded as a free version [10]. XAML Spy is only available as 21-day test version for evaluation. For productive testing you have to buy a license.

Test cases

When you test a Silverlight application you should have a look at the clientaccesspolicy.xml. There is also some documentation available from Microsoft about „HTTP Communication and Security with Silverlight“ that describes some basic hardening settings [8].

During decompiling a Silverlight application you should also investigate the Isolated Storage, if there is any sensitive information stored.

References

[1] http://en.wikipedia.org/wiki/Microsoft_Silverlight

[2] https://github.com/GDSSecurity/WCF-Binary-SOAP-Plug-In

[3] https://gist.github.com/sekhmetn/4504341

[4] http://www.jython.org/downloads.html

[5] https://github.com/waf/WCF-Binary-Message-Inspector

[6] http://xamlspy.com/

[7] http://firstfloorsoftware.com/silverlightspy

[8] http://msdn.microsoft.com/en-us/library/cc838250(v=vs.95).aspx

[9] http://abhartiya.wordpress.com/2012/07/06/pentesting-silverlight-applications/ 

[10] http://firstfloorsoftware.com/silverlightspy#download