Web application security - the fast guide 1.1 | Page 92
Chapter 5 - Attack Execution the client
P a g e | 92
plugin
named
(WCF
Binary
Soap
Plug-In)
by
([email protected])
3. A special tab will show the object content sent in the ciphered
message.
4. Alter the message as requested and forward the request.
5. Capture the response and see deciphered contents.
5.6 Decompile Flash, Java applet and Silverlight
Send request to retrieve Flash component or java applet
Retrieve flash component or applet
Decompile
bytecode
and analyze
result
Recompile a
privileged
version
Send a privileged request to get privileged response
Figure 34: Decompilation process for Flash, Java applets and Silverlight
This attack depends on disclosing the business logic executed in a browser
extension like Java applet, Flash or Silverlight component
Java applets and SWF file contains bytecode that can be decompiled to recover
the original source through tools like JAD for java applet, Flare for flash and
Telerik Just Decompiler for Silverlight XAP files. (software are available in
supplementary materials)
Attack requirement
Targeted functionality fully executed on the client side.
Low complexity of application bytecode.
Attack process
1. use Flare, JAD or Telerik decompiler depending on the type of
component. The result will be ActionScript source for Flare or Java for
JAD.
2. review the source to identify any attack points that will enable you to
reengineer the Flash object and bypass any controls implemented
within it.
3. modify the decompiled source to change the behavior of the applet,
recompile it to bytecode, and modify the source code of the HTML
page to load the modified applet in place of the original.