Security PS used three techniques to manipulate both the signed SOAP requests and the custom TCP messages:
- Writing custom code and reusing thick-client libraries
- Attaching a debugger to the running application and manipulating variables
- Disassembling, modifying, and reassembling the application
Next, Security PS needed to modify a field within a signed SOAP request to test authorization controls. Our team used a debugger and breakpoints to perform this modification. For .NET thick-clients, this attack is possible after disassembling and reassembling the application with debugging enabled.
Finally, we needed a way to quickly and easily manipulate custom TCP messages to identify vulnerabilities. Use of the debugger and breakpoints was too slow. Use of a custom written testing tool meant having to understand and duplicate some complex interactions that the thick-client managed. So, Security PS chose to directly modify the thick-client to allow interactive modification of TCP messages by consultants. For that to be possible, we needed to disassemble the thick-client, modify the intermediate language code, and then reassemble it.
Using these testing techniques, Security PS identified a number of high impact vulnerabilities. After discussing the vulnerabilities with the client, two of the questions they asked were:
- Is .NET less secure than other languages since these techniques are possible?
- How do I stop attackers from manipulating my applications?
Stay tuned for a follow-up on the questions brought up above.