Jump to content

Thick client app testing


avi24k

Recommended Posts

Hi All,

I am testing a 2-tier thick client application which has a file upload functionality.

The files are uploaded directly to the database, without any checks on the content and filetype. The database (mssql in this case) parses the file and present it back to the application viewer.

Is there's any way I can abuse this functionality?

Thanks.

Regards,

Avi

Link to comment
Share on other sites

Depends on a lot of things. What you mean by the database parsing it? What langauge is it written in? If interpreted then does it get passed through the interpreter before being rendered? Is it displayed in a browser, if so can you send HTML that gets rendered?

Link to comment
Share on other sites

Hi,

thanks for your reply.

By parsing I meant the database interpret the text () in the file (.txt, .xml, xls) and puts into a table. This table is also view-able using the application (thick-client, non-http). The application itself is written in Delphi and communicates with the database directly (using connection string).

Link to comment
Share on other sites

Sounds that it is unlikely there is any direct vulnerability unless you can find a vulnerability in whatever is used to parse the files when the come out of the database and into the table. How good are you at parser fuzzing?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...