by

Microsoft LightSwitch Research

Introduction

Microsoft LightSwitch is a Line Of Business (LOB) development framework initially released on the 26th of July 2011, the current version of LightSwitch was released within Visual Studio 2012 update 3 (1st Sept. 2013) supports new WebAPI functionality tailored for HTML5 and mobile devices.

LightSwitch can run in three distinct modes:

a)      A local desktop Silverlight client

b)      A Silverlight web client hosted on IIS and SQL servers

c)      An HMTL5/JavaScript web client hosted on IIS and SQL servers

ProCheckUp concentrated on the Silverlight client running from an IIS hosted server on the Internet.

ProCheckUp has identified a number of security concerns with LightSwitch's implementation. From reading the client source code, to accessing client screens without needing authentication.

Please read our paper " PenTesting Microsoft LightSwitch" which can be found at http://procheckup.com/procheckup-labs.aspx.

Reading client side source code

Immediately after visiting the website the client.xap file which contains the client code for the SilverLight application is loaded, we discuss reading the contents of this file and using .NET reflector to recover the original source code.

The code behind the screens can be recovered using .NET reflector as show below:-

Bypassing authentication using anonymous access

By default a LightSwitch application is normally protected by a login screen:-

If the developers have not been careful in locking down access, ProCheckUp demonstrates that the login screen can by bypassed by an anonymous request similar to https://testserv/Contoso/?AuthenticationType=None.

Querying OData services

The LightSwitch SilverLight client after being loaded interrogates WCF services, using the OData protocol. ProCheckUp discusses how to secure and Query these OData services, without using a SilverLight client.