3: The Tools of the Trade
menu was clicked. The command line would show what
exact executable was being called on the remote side. A
quick modification of this path to point to
c:\winnt\system32\cmd.exe resulted in a command prompt
being launched instead of the application menu.
Using the ‘Open File’ feature in the application is another
commonly used technique. Most applications have features
where you click on a button and select a file to upload.
Instead of providing a file to upload, try browsing to a
system directory and right clicking on a system executable
and launching it. Sometimes it’ll be prohibited to launch
certain executables – but you’ll succeed in others.
Tests like SQL injection though will still be valid except
that you’ll have to do the tests manually due to there being
no way to upload Burp Intruder or any other tool. The
amount of testing though compared to browser-based
applications is relatively lower. More focus should hence be
given on testing the other components (servers, network
devices) that support this type of application.
Intercepting Java applets
When Java applets are embedded inside a webpage,
sometimes the traffic is not captured by the local web proxy
editor. Using the browser’s in-built SOCKS proxy features
solves the issue usually. Just enable SOCKS proxy in the
browser and surf the application. The data capture starts.
Sometimes we may need to restart the browser after setting
the SOCKS proxy.