1

Lets suppose my program makes a http request and uses it response to update some values. Is it possible to somehow mimic the response in order to modify it so the program believes the server responded when in fact it was a hardcoded response? I'm not using HTTPS.

cremefraiche
  • 2,173
  • 12
  • 24
Vallo
  • 319
  • 1
  • 2
  • 7
  • 1
    Yes, e.g. with [Fiddler](http://www.telerik.com/fiddler) – CodesInChaos Dec 16 '14 at 15:46
  • Why do you ask that question? – CodesInChaos Dec 16 '14 at 15:47
  • I'm developing a program which makes an http request to retrieve 'credits' that the user is able to use. Despite the clients using it are very few and the chances of being hacked is close to zero, I wanted to take some security measures. Thanks – Vallo Dec 16 '14 at 15:50
  • 1
    You want to implement some kind of licensing or DRM scheme? – CodesInChaos Dec 16 '14 at 15:53
  • Exactly. I've thought of making a random number, sum it with a unique pc key (that we already use for security purpouse) send it to the web service and hash it from both sides, the webservice return the hash and if both match, i'm sure the app is talking to my webservice – Vallo Dec 16 '14 at 15:55
  • I would look into [FakeNet](http://practicalmalwareanalysis.com/fakenet/). It's normally used to analyze Malware, but it's highly configurable. You might be able to use it to deliver your response. – RoraΖ Dec 16 '14 at 16:39
  • 2
    @Vallo Keep in mind that it is not possible to make it not possible to bypass your client-side check. (Worst case scenario: someone rewrites your client program from scratch, but without the part that makes it require credits.) – user253751 Dec 17 '14 at 02:28
  • You can make it harder, but making it impossible is, well, impossible. The client software is under the control of users, who can (theoretically speaking) just decompile the software and remove the part that does the check. This is part of the reason why a lot of DRM is so easy to crack. – tlng05 Dec 17 '14 at 02:42
  • @CodesInChaos It think it is much more probable that he simply has a braindamaged binary-only tool which needs some system-integration induced workaround. – peterh Dec 17 '14 at 08:57
  • @PeterHorvath Read Vallo's first comment. It's DRM. – CodesInChaos Dec 17 '14 at 09:05
  • @CodesInChaos Oh, I understood. Now my personal opinion is that the best were if he could simply ignore such trash, but if he can't do that, better to crack this as to be a slave of some multinational IT monopoly. – peterh Dec 17 '14 at 09:10
  • Yes, I'm aware it can be cracked, but as I have mentioned earliery, security is not the biggest concern here. I just wanted to know how easy it is to crack this security scheme. Thank you! – Vallo Dec 17 '14 at 11:28

1 Answers1

2

Yes, it's possible and it's trivially easy.

You can make it a bit harder by using HTTPS and a pinned certificate but that will not stop anyone with a bit of time on their hand (they will then need to modify your executable, or, at least, the container where you placed your pinned certificate) and it will make it harder to manage your server (because if you need to change your certificate, you'll need to update your clients as well).

Community
  • 1
Stephane
  • 18,557
  • 3
  • 61
  • 70