WebApp Sec mailing list archives

RE: Approach for testing sites that use RDS

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Mon, 8 Sep 2003 16:29:11 +0200

Hi Daniel,

You may want to have a look at a proxy based tool, such as Exodus
(http://home.intekom.co.za/rdawes/exodus.html), Spike Proxy, etc

This should allow you to see all the data that traverses the network between
the browser and the server, and give you the opportunity to modify it in
transit.

The actual user interface implemented in the client should hopefully be
irrelevant, as it should ultimately all boil down to HTTP or HTTPS POST's
submitted over the wire. If the OCX's implement their own network
communications protocol, or encrypt elements of the data, you would
obviously have a more difficult task ahead of you.

Once you have access to the raw data stream going to the server, you would
be in a position to modify the values in an attempt to get your application
to break in exploitable ways.

Good luck.

Rogan

-----Original Message-----
From: Daniel [mailto:dan () ugc-labs co uk] 
Sent: 08 September 2003 03:21 PM
To: webappsec () securityfocus com
Subject: Approach for testing sites that use RDS




Hi all, 



Does anyone have any insight into the approach needed when 
testing sites 

which make use of MS's RDS and ActiveX?

I'm currently testing a site which uses both in a heavy 
fashion (the site 

itself uses about 20 odd ocx and the user has to download 9 cab files 

just to get to the logon page)



I've done a good search on google and nothing has been mentioned on 

testing sites with this setup (or my search fingers aren't 
working well 

today)



Any pointers would be greatly appreciated



D


Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") 
that must be accessed and read by clicking here or by copying and pasting the following address into your Internet 
browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this 
email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access 
the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za.

Current thread:

Approach for testing sites that use RDS Daniel (Sep 08)
- <Possible follow-ups>
- RE: Approach for testing sites that use RDS Dawes, Rogan (ZA - Johannesburg) (Sep 08)