Similar to Flash, Microsoft Silverlight is a "thick client" application interface used to enhance users' experience. Underlying web services calls made by Silverlight are vulnerable and it is important to map those in terms of vulnerabilities and create fixes.
Why penetration of Silverlight Based application is essential?
Silverlight is a browser entity plug-in developed by Microsoft to enable web users with a rich client side experience. At its core Silverlight has to assume that all webpages/in-browser apps are potentially malicious, and hence runs applications in a sandbox (plug-in) which allows applications to run within a defined security context safely. Modern web application heavily rely on Silverlight, and many times expose quite a few vulnerabilities.
How we do it??
There are 3 distinct areas within a Silverlight application which are analyzed and tested against security, in the penetration testing.
1. Deep linking
Test for flaws in flow particularly authorization and data input.
Allows direct access to a page within Silverlight and could allow bypassing security such as authorization if authorization checks are only done at specific points.
2. Isolated Storage
Same as any data storage tests however the special note is that it is client-side storage.
Questions such as:
What can be stored in isolated storage?
What can be overridden in isolated storage? For example, had the application stored files that can be overridden by the user?
How is that presented back to the user?
3. Back-end services
In web application usage cases Silverlight will commonly form the top tier / front-end and a backend web service will be responsible for some sort of data handling / storage.
Because Silverlight is a client-side technology web services if they exist are exposed to the client to, which is different to the usual server-side web application which may not need to expose these at all.
Web services should be aggressively tested using automated and manual tools. The normal tests of content type, size constraints, and performance are important. Also some fuzzing would also be good. This all falls back to the generic web services testing is not Silverlight specific