Securing Business Apps
Rise of the White Collar Crackers





Introduction

As more and more systems and processes turn to electronic storage and database driven tracking systems we find our selves in love with the new efficient, concise data access that brings with it.

Most of today’s businesses will be using custom developed Business Apps in some way to help them manage their clients, orders, accounts etc. Indeed there is an entire segment of the consulting market geared towards providing clients with custom data access front ends.

These consulting firms are generally filled with developers who are good multitaskers. Switching from client jobs on a dime and having to learn and manage a host of programmatic tasks from web design to windows desktop development.

Visual Basic is one of the most widely used RAD (Rapid Application Development) languages in the world, and the frequent weapon on choice for business app developers because of its extremely fast development times and ease of use. For this reason, this paper will focus on VB created business apps. While some of the techniques outline will be VB specific, many will also hold true for applications developed in other languages.

The term "software cracking" is often associated by default with pirated desktop user software. For those not familiar with the term, cracking refers to the act of analyzing a compiled program (no source code available) and manipulating the raw processor commands that make it up to gain extended (or infinite trial versions) or obtaining the use of privileged features. For the focus of this paper, we are going to take this into corporate America and see how these same techniques can be used to gain unauthorized access to privileged software functions in Business Applications.

In conventional software cracking, the typical reward, is gaining the use of some piece of software for general use. Manipulating these raw commands and redefining the logic of compiled programs takes alot of patience, time and skill. In the end there is no real financial gain to fund or justify the effort.

Today we live in the information age, most stored electronically in some form or another. Companies are very protective of their proprietary data. This confidential data is a closely guarded asset, and could be of real financial worth to competitors. Whether we like it or not, our information systems are at risk and we have to analyze and understand each level they can be attacked at.

In this paper, we are going to explore possible attacks against common logic found in a typical business application. In the course of the paper we will outline ways to bypass logins, enabled administrator only functionality and wreak general havoc through cracking techniques.

These techniques are usually highly effective with business applications, because their creators typically have little to no understanding of how their compiled code can be manipulated. If you have sensitive data systems with data intake and reporting applications that run on users desktops, take notice that your propiritary data could be exposed.

To help this paper cross from the realm of conversation to that of practical example, I have created a sample business app in Visual Basic 6 where you can examine, test, and see the results of these attacks directly for yourself.

This application is a order intake, tracking, and billing application modeled around common logic and programming techniques. There are 3 user levels.

1) Data Intake - only has access to adding and viewing orders 2) Accounting - access to add & view orders + handle accounts paid and credit 3) Administrator - full access + ability to grant logins and change passwords.

All of these functions are available within the same application. Privileges are managed through a handful of common techniques such as disabled menu items, disabled buttons, hidden form elements etc.

When you first login to the system, your credentials are verified and your group privileges are established that will be used throughout the rest of the application.