mailing list archives
Re: Code Cracking in Java
From: Peter Conrad <conrad () tivano de>
Date: Wed, 12 May 2004 13:54:40 +0200
On Wed, May 12, 2004 at 06:35:07AM -0000, Chitresh Sen wrote:
Code Cracking in Java
After modification I started the application and it was running fine. I
changed my test user ids password as 0 character since there were no server
side validation checks were implemented hence after the client side security
check was manipulated the application allows me to keep password of any
length. This way the minimum password length check is overcomed and similar
process can be used to manipulate any checks implemented at client side. Now
I have the key with me only thing I have to investigate the proper class
files and understand its logic and manipulate it. Later on I had overcomed
the special character checks which makes application vulnerable for SQL
injection, further exploitation of which leads to the compromisation of
what you have described is not a particular problem of the Java language.
The problem is that the application in question relied on the *client* side
to perform security-critical checks, which is a very bad idea in any
client/server environment. (And quite a common problem in web environments,
Java may be guilty of making this easier than e. g. C, but the problem exists
in *any* language.
The solution for byte code manipulation can be taken care by implementing
hashing for a package and before starting an application the hash should be
calculated and compared with the server side precalculated hash, if both of
them match then only allow further execution.
That is *not* a solution! Again, this is a mechanism that relies on the
client side to perform the hash calculation correctly, which can be
worked around by simply modifying the client software!
Other way to solve the problem
is to implement server side checks no doubt it will affect the performance
That is the *only* way to solve this problem.
Peter Conrad Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH Fax: +49 6102 / 80 99 071
Bahnhofstr. 18 http://www.tivano.de/