Importance of application security


What happened?

I was browsing the web for a simple application the other day. I managed to find one that when opening it said I needed to get a key. Because I was only wanting to test something once I decided that I’d either find another solution or try have some fun with this one =D (Note : If I planned on using this app for more than a minute I would of got an actual key). I noticed the following things that sparked an idea :

  • it said you will require .net to use the application on the website
  • the license / register form was very basic
  • the application didn’t have an installer

This as with many other applications means there is a good chance that the awesome tool reflector will help me know some code I would otherwise not know =D. I found the below code on the register form


this.reg.SetValue("the license key", this.TextBox2.Text);
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://theSitesUrl/APlace?key=" + this.TextBox2.Text);
request.Method = "GET";
request.UserAgent = this.useragent;
request.ContentType = "application/x-www-form-urlencoded";
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
string responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();
this.TheLicenseEmailAddress = responseString;


From this code my first guess was that being an email address (from what the variable says) there won’t be any further validation on this, so I

  1. created a blank asp.net web application
  2. added a Global.ashx and alter the Application_BeginRequest method as below

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
    	HttpContext.Current.RewritePath("/Handler1.ashx");
    }
    

  3. added a Handler1.ashx that looked like below

    public class Handler1 : IHttpHandler
    {
    	public void ProcessRequest(HttpContext context)
    	{
    		context.Response.ContentType = "text/plain";
    		context.Response.Write("someone@example.com");
    	}
    
    	public bool IsReusable
    	{
    		get
    		{
    			return false;
    		}
    	}
    }
    

  4. added the below couple of lines to my web.config

    
    	
    
    

  5. added into my hosts file the following line 127.0.0.1 theSitesUrl
  6. and setup and IIS site with the binding theSitesUrl to the folder of the new asp.net web application
  7. ran the application that I downloaded and then entered random characters for the license key and boom, I was using the app with a license

What’s my point?

Firstly, my point isn’t that this is a good thing to do or that it is right. The point is why have a fully client application with a license key if

  • It’s not obfuscated
  • the sensitive data isn’t encrypted
  • the security layer takes 3 minutes to code from scratch

It’s almost like the developer doesn’t care much. Maybe I’m just being harsh and this is a basic application so maybe the developer was more trying to build a network than make money off it (site didn’t mention anything about paying, just emailing the dude), or maybe the lack of obfuscation was due to not having the finance to obfuscate (Good obfuscation is expensive) or maybe that the application is not targetted at technical users.

Security should be one of the parts of the application that the most passionate and skilled developers work on. The passion will make them want to protect there IP and try keep there code out of other developers eyes, and the skills will make sure they don’t go over board with pointless security and making the clients jump through hoops.

What is Application Security?

(Wiki) Application security encompasses measures taken throughout the application’s life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the designdevelopmentdeploymentupgrade, or maintenance of the application.

What is obfuscation (software)?

(Wiki) In software developmentobfuscation is the deliberate act of creating obfuscated codei.e. source or machine code that is difficult for humans to understand.

Programmers may deliberately obfuscate code to conceal its purpose (security through obscurity) or its logic, in order to prevent tampering, deter reverse engineering, or as a puzzle or recreational challenge for someone reading the source code.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s