In this article, I am
sharing my best/worst experience which was happened 5 years ago.
About the application
I was working for a
company and there we have developed a web based eCommerce application for one
of our client. Since our client wants a Rich
User Interface, we have decided to use the Flash as a front-end. So, as per our
architecture the Flash application will to communicate with ASP.Net web service
to display/process any data and the web service will communicate with the
SQLServer for storing/retrieving the data. I this, I am the responsible to
developing web service and implementing the payment gate way which is credit
card payment process. This application launched in one of big cinema hall.
Environment Setup
One day, our client
receives a shocking email by saying that “I can book
you entire cinema hall for just Rs.1 and let me know if you need a solution, so
we can discuss further on this”.
Since we are developers
the email has been forwarded to us for further actions. We have verified our database log and found
that a transaction was done for Rs.1. As per the log, that person continuously
tried that transaction for two days and he finally succeeds on his goal.
We have discussed a lot
about how come it is possible and we have also tried to find the loop hole in
our application. Only one thing we
thought could be a problem, which is, we are not re validating the amount in web
service which we received from our front end.
Now, we have implemented that validation also, but we are not sure
whether that will solve this problem. We
are also studied few things about the Hacking and we didn't conclude anything
about the cause for this problem.
So, we have updated all
our finding to the client and we have requested to reply to that email and
asked them to schedule a meeting.
Discussion
The meeting is
scheduled and we are all waiting for the person who sent an email and a 17 year
old boy came to the meeting and he is the person who did this. Personally, I am
very much shocked know that a small boy is working this kind of activities.
He explained what he
did to achieve his goal. As we all know,
when we browse the Flash based web site, the Flash file (swf) will get stored into
the local machine. He has a tool
(de-compiler) which can generate a entire source of the Flash file (swf), using
that he had generated the source for our Flash file. Then he ran that swf file
on this machine, and during the payment he changed the amount to Rs.1 in the
front end. Since we are also not having any validation on this, the entire
transition is success for him.
There is another tool,
which prevents the Flash file to de-compile. He also shows the demo of that
tool. Finally we have modified our flash
file as per his suggestion and also we have re deployed our web service which
the amount validations check.
Conclusion
De-compilers are very
much use full, to regenerate the source code if we lost it.
As a developer, we are
all concentrating only on how to develop and implement our logic and we are not
thinking about de-compilers. Because of
this some time, our logic can be stolen by someone.
All COM dll/exe and Java
class files and .Net assembly can be de-complied. There are few tools are available to prevent
that.
No comments:
Post a Comment