From: Xman Security (xmansecurity@gmail.com)
Date: Thu Jul 20 2006 - 15:56:27 EDT
Hi,
Have you perform any pen-tests agains those Intranet web services?
This looks like another weak point for me. Some areas might be
interesting to try are:
How this desktop application authenticate to the web services?
Is there any sensitive information such as passwords and keys in the
desktop application source code or compiled binaries.
Are there any high privileged web methods (admin functions) available
on these services?
How does the web services implements access control?
Is there any XML injection related issues in web services?
How about SQL injection through web services?
Is it possible to intercept and forge results from the web services to
manipulate the behaviors of the desktop application?
How is the communcation between the desktop application and the web
services protected?
To modify HTTP headers, the best document would be HTTP protocol RFC.
If it is web services, you might be interested to look at SOAP over
HTTP documents. There are other tools such as burpproxy and webscrab
from OWASP can help modifying HTTP requests as well.
Hope this is helpful,
Regards,
-Xiaoyong
On 7/19/06, 3 shool <3shool@gmail.com> wrote:
> Hello Satya,
>
> Since it is desktop application without any webserver I think XSS
> would not be applicable here. We already tried SQL injection and Blind
> SQL Injection also. The application is robust at least against SQL
> injection. I am using Proxy for Input Validation but not found any
> medium or high risk vulnerabilities till now.. only 2 low risk
> vulnerabilities are discovered till now.
>
> Does anybody know a good document on modifying HTTP Referrer and other
> headers? Thats one area untested. The application contacts Intranet
> webserver for some web services.
>
> I will find a few other things meanwhile.
>
> PLease let me know in case you are knowing other points or things that
> I can look for.
>
> Thanx Satyashil.
>
> On 7/19/06, satyashil rane <satyashil.rane@gmail.com> wrote:
> > Hi
> >
> > As you mentioned, code is available with you. You can test following things.
> >
> > SQL injection
> > Cross-site scripting
> > Input/data validation
> > Authentication
> > Authorization
> > Sensitive data
> > Code access security
> > Exception management
> > Data access
> > Cryptography
> > Unsafe and unmanaged code use
> > Configuration
> > Threading
> > Undocumented public interfaces To perform above checks read following
> > article.
> > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000027.asp
> >
> > Satya
> > Information Security Consultant
> > MIEL e-Security Pvt. Ltd.
> > India
> >
> >
> > On 7/19/06, 3 shool < 3shool@gmail.com> wrote:
> > >
> > Hello All,
> >
> > I am penetration testing a C# (.Net) desktop application with SQL
> > server as the backend. The source code of the application is also made
> > available to me. Here is what I have done till now:
> >
> > 1. Scanned using Nessus and found that application doesn't have any
> > services running. It just uses Internet for some services and central
> > database for storage.
> >
> > 2. I used Application Proxy to intercept communications to see if
> > anything was suspicious but couldn't find anytrhing.
> >
> > 3. I didn't try Buffer Overflow attacks as it is secured by .Net itself.
> >
> > 4. I know the backend API's but what can be done with those?
> >
> > 5. I tried SQL injection but it seems to be protected even for blind
> > sql injection.
> >
> > Till now I haven't found any vulnerability. Any idea what more can I
> > do? Any other techniques? Any docs?
> >
> > Looking for some help from you guys.
> >
> > Thanx.
> >
> > ------------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Concerned about Web Application Security?
> > Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> > Choice Award from eWeek. As attacks through web applications continue to
> > rise,
> > you need to proactively protect your applications from hackers. Cenzic has
> > the
> > most comprehensive solutions to meet your application security penetration
> > testing and vulnerability management needs. You have an option to go with a
> > managed service (Cenzic ClickToSecure) or an enterprise software
> > (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> > help you: http://www.cenzic.com/news_events/wpappsec.php
> > And, now for a limited time we can do a FREE audit for you to confirm your
> > results from other product. Contact us at request@cenzic.com for details.
> > ------------------------------------------------------------------------------
> >
> >
> >
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> Choice Award from eWeek. As attacks through web applications continue to rise,
> you need to proactively protect your applications from hackers. Cenzic has the
> most comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request@cenzic.com for details.
> ------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:21 EDT