Re: [security] Code Cracking in Java

[Allen Firstenberg <security () addventure com>]

On Wed, May 12, 2004 at 06:35:07AM -0000, Chitresh Sen wrote:
> I hope you have understood that what I had done more with the application.

To summarize, you have done the following:
- Reverse engineered the code
- Modified the class file (basically assembley language) to bypass a
  client-side security check 
- Exploited the fact that there are no server-side security checks

> In the above section I mentioned the vulnerabilities related to Java
> but these vulnerabilities can be taken care. Obfuscation can be used
> to scramble class files so that it becomes hard to understand the
> decompiled source code; there are tools available for obfuscation. 

But as you note, all you need to understand is the "assembley
language" to actually understand the code.  Obfuscation may slow this
down, but it hasn't stopped it to date.

> The solution for byte code manipulation can be taken care by
> implementing hashing for a package and before starting an
> application the hash should be calculated and compared with the
> server side precalculated hash, if both of them match then only
> allow further execution.

But if someone modifies this check to either ignore or hard-code
the checksum, it is effectively bypassed.

> Other way to solve the problem is to
> implement server side checks no doubt it will affect the performance
> of server. 

This is the only effective solution.

Consider that if you are communicating with a server, all you need to
do is decode the communication protocol.  You can then write your own
client (in any language) that does anything you want - ignoring the
code that you download completely.  The only solution to this is to
secure the server.


Allen