New Banner 3

Services

Find out more about ProCheckUp's services including: Penetration Testing, PCI QSA and PCI DSS

More Detail

PCI DSS User Group

User Group is for merchants to come and share experiences with fellow professionals. We have regular presentations from the card schemes and acquiring banks.

Find out more & join...

Microsoft LightSwitch Research

09 September 2013 by Richard Brain, ProCheckUp

Introduction

Microsoft LightSwitch is a Line Of Business (LOB) development framework initially released on the 26th of July 2011, the current version of LightSwitch was released within Visual Studio 2012 update 3 (1st Sept. 2013) supports new WebAPI functionality tailored for HTML5 and mobile devices.

LightSwitch can run in three distinct modes:

a)      A local desktop Silverlight client

b)      A Silverlight web client hosted on IIS and SQL servers

c)      An HMTL5/JavaScript web client hosted on IIS and SQL servers

ProCheckUp concentrated on the Silverlight client running from an IIS hosted server on the Internet.

ProCheckUp has identified a number of security concerns with LightSwitch's implementation. From reading the client source code, to accessing client screens without needing authentication.

Please read our paper " PenTesting Microsoft LightSwitch" which can be found at http://procheckup.com/procheckup-labs.aspx.

Reading client side source code

Immediately after visiting the website the client.xap file which contains the client code for the SilverLight application is loaded, we discuss reading the contents of this file and using .NET reflector to recover the original source code.

The code behind the screens can be recovered using .NET reflector as show below:-

 .NET reflector

Bypassing authentication using anonymous access

By default a LightSwitch application is normally protected by a login screen:-

 login screen

If the developers have not been careful in locking down access, ProCheckUp demonstrates that the login screen can by bypassed by an anonymous request similar to https://testserv/Contoso/?AuthenticationType=None.

 anonymous request

Querying OData services

The LightSwitch SilverLight client after being loaded interrogates WCF services, using the OData protocol. ProCheckUp discusses how to secure and Query these OData services, without using a SilverLight client.

Pic 4

Back To listing