Tuesday, May 31, 2016

A discussion with my application Hacker

In this article, I am sharing my best/worst experience which was happened 5 years ago.

About the application
I was working for a company and there we have developed a web based eCommerce application for one of our client.  Since our client wants a Rich User Interface, we have decided to use the Flash as a front-end. So, as per our architecture the Flash application will to communicate with ASP.Net web service to display/process any data and the web service will communicate with the SQLServer for storing/retrieving the data. I this, I am the responsible to developing web service and implementing the payment gate way which is credit card payment process. This application launched in one of big cinema hall.

Environment Setup
One day, our client receives a shocking email by saying that “I can book you entire cinema hall for just Rs.1 and let me know if you need a solution, so we can discuss further on this”.

Since we are developers the email has been forwarded to us for further actions.  We have verified our database log and found that a transaction was done for Rs.1. As per the log, that person continuously tried that transaction for two days and he finally succeeds on his goal.

We have discussed a lot about how come it is possible and we have also tried to find the loop hole in our application.  Only one thing we thought could be a problem, which is, we are not re validating the amount in web service which we received from our front end.  Now, we have implemented that validation also, but we are not sure whether that will solve this problem.  We are also studied few things about the Hacking and we didn't conclude anything about the cause for this problem.

So, we have updated all our finding to the client and we have requested to reply to that email and asked them to schedule a meeting.

The meeting is scheduled and we are all waiting for the person who sent an email and a 17 year old boy came to the meeting and he is the person who did this. Personally, I am very much shocked know that a small boy is working this kind of activities.

He explained what he did to achieve his goal.  As we all know, when we browse the Flash based web site, the Flash file (swf) will get stored into the local machine.  He has a tool (de-compiler) which can generate a entire source of the Flash file (swf), using that he had generated the source for our Flash file. Then he ran that swf file on this machine, and during the payment he changed the amount to Rs.1 in the front end. Since we are also not having any validation on this, the entire transition is success for him.

There is another tool, which prevents the Flash file to de-compile. He also shows the demo of that tool.  Finally we have modified our flash file as per his suggestion and also we have re deployed our web service which the amount validations check.

De-compilers are very much use full, to regenerate the source code if we lost it.

As a developer, we are all concentrating only on how to develop and implement our logic and we are not thinking about de-compilers.  Because of this some time, our logic can be stolen by someone. 

All COM dll/exe and Java class files and .Net assembly can be de-complied.  There are few tools are available to prevent that.

No comments:

Post a Comment