[Owasp-o2-platform] [Owasp-leaders] Testing Silverlight

dinis cruz dinis.cruz at owasp.org
Thu Mar 10 08:02:41 EST 2011


Nope, just that with source code there is a lot more one can do (O2 has a
.Net Static analysis engine which can dramatically help when reviewing web
services).

Another roadblock that you might need to go around, is if the WSDL is not
being exposed (in that case , the info you will need is inside the
silverlight app (or even the Zed/Burp logs))

The way to use O2 in these scenario is to allow to create programatic tests
for each service (which can be packaged as UnitTests for the app's
developers). First you need to create an environment where you can make
valid requests, after that you can start your tests (for example running
FuzzDB against specific targets)

Dinis Cruz

On 10 Mar 2011, at 04:27, Tony UV <tonyuv at owasp.org> wrote:

No, completely blackbox, so no server side source.  Is that a deal-breaker
for testing with O2?



Tony UcedaVelez, CISM, CISA, GSEC

*Atlanta Chapter President*

*Membership Committee Global Board Member*

*OWASP Atlanta*

http://www.owasp.org/index.php/Atlanta_Georgia

Twitter: *@versprite*



*From:* owasp-leaders-bounces at lists.owasp.org [mailto:
owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *dinis cruz
*Sent:* Wednesday, March 09, 2011 11:23 PM
*To:* owasp-leaders at lists.owasp.org
*Cc:* owasp-o2-platform at lists.owasp.org
*Subject:* Re: [Owasp-leaders] Testing Silverlight



Hi Tony, I have done the web services part several times using the O2
Platform.



If you have a test/demo site available , I can show you how



Do you also have access to the server-side source code?

Dinis Cruz


On 10 Mar 2011, at 03:19, Tony UV <tonyuv at owasp.org> wrote:

Hey all,



Skyped Manico this question today and he recommended I share with the leader
list, so here it goes.



Has anyone had any success in testing Silverlight based front-ends that talk
to a web service?



I’ve used.NET Reflector, Zed, and Burp with good success in pulling back
multiple wsdl files, code assemblies that Silverlight interfaces with
(contained within .xap files), and other good nuggets, but seeing what
others have used as part of their own testing regiment?



Has any ever used .NET’s svcutil.exe from the Windows SDK to create a rogue
request to a web service or written a tool to do so in conjunction with
params that some of the assemblies may be expecting?



Tony UcedaVelez, CISM, CISA, GSEC

*Atlanta Chapter President*

*Membership Committee Global Board Member*

*OWASP Atlanta*

http://www.owasp.org/index.php/Atlanta_Georgia

Twitter: *@versprite*



_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110310/4f1453ad/attachment-0001.html 


More information about the Owasp-o2-platform mailing list