Second Ethical Research Paper: Bypassing Client-Side Controls

Introduction
A growing number of web applications have begun to implement more client side controls. Clients side controls are being used for a number of reasons: Primarily to reduce traffic from the server to the client, control input to prevent application attacks, and to effectively make the user’s experience easier. The client usually implements these in hidden form fields, or hidden in Flash or ActiveX thick-clients (Du). Unfortunately for the server though, any restrictions implemented via the clients can be altered by the user. If the user is intelligent enough, he can reverse engineer thick-client of obfuscation; but even a novice user can download a program to view the hidden form fields through. Other than the typical web browser, the user may want to do this for a number of reasons: like submit a form with a blank piece of information and proceed, change the price of an item he is buying, or even delete controls like “MaxLength” to leverage vulnerabilities such as SQL injection, cross site scripting or buffer overflows (Stuttard). Regardless of their intention, just the act of using intercepting proxies or tampering with thick clients carries heavy moral weight (Hacking without all the jail time). This paper will ethically scrutinize both: the act of tampering with hidden form fields and using intercepting proxies to edit client data, and the act of manually diffusing thick clients, using the ethical spectrum outlined in the forward.
Ethical Section One
Hidden HTML form fields are commonly used to transmit superficially unmodifiable data through the client. The server could have any number of reasons for implementing these hidden form fields, and they are often designed to make the application easier on the user. Even though they are helpful, these techniques should never be used in conjunction with crucial data or authentication, as even novice users have means of editing this information (Du). All one has to do is view the source, and copy it into an editing program. Once the user is done editing the hidden field’s logic, they simply re-load the page into the browser and send it back to the server. It is very easy to see how even novice HTML programmer can customize this data to send practically whatever they want (Du). A more talented user could even catch an HTTP POST with an intercepting proxy, and with a little finesse edit almost anything they choose. Anyway you look at it, hidden form fields are easy to edit, and not so hidden (Stuttard). This section, will ethically scrutinize both of those methods previously mentioned, and determine whether it is morally acceptable for the user to edit this important form of client side data. At the end of this section, I will provide my personal morals on the subject, along with some lessons learned through the ethical spectrum.
To properly analyze the moral predicament of editing hidden form fields from a Kantian perspective, one must run the scenario against Kant’s categorical imperatives. With the first maxim, one must universalize the idea that, “Everyone will customize their hidden form fields to submit whatever they choose.” With this idea in place, several logical paradoxes arise. For starters, these fields are no longer hidden, and now contradict their very name. These hidden form fields also no longer regulate input, but are now just stock suggestions. This means the input validations must occur on the server side as well, completely demeaning the concept of even having client side data. With the universalized idea still in place, one must consult Kant’s second maxim now. Although the client is not a human person, it must be treated as an operator or secretary for the server. By editing whatever data the user wants, the user is essentially by-passing the client and merely using it as a means to an end. The client is intended to be trusted by the server as the application that the HTTP request leaves from (Stuttard). By using an intercepting proxy, one has literally epitomized the breaking of Kant’s second maxim, and is clearly using the client as a mere stepping stone. It is glaringly obvious that editing hidden form fields is immoral from a Kantian perspective. To be a dutiful internet user, one should only interact with web servers through respectable browsers.
When observing this soft-hack method from a Rule Utilitarian outlook, one must weigh the net consequences of this action against those of not performing it. Since the act of not abusing hidden form fields is considered to be the norm, it’s net happiness will remain neutral at 0. Now, to generalize this soft-hack action, consider these hypothesizes, ”1/3 of all internet users create homepages of their own” and “3/4 of all internet users understand how hidden form fields work.” This means that when creating their own application, the average user will know of hidden form field vulnerabilities and avoid storing crucial data in these locations. This will result in a more secure, better educated internet base; resulting in what I will detonate as +25 happiness points (the secure homepages out of 100 users). Of course, if so many internet users know of these vulnerabilities, they will quickly discover the sites that were illegitimately created, resulting in a hypothetical -8 happiness points (the unsecure homepages out of 100 users). The hypothetical happiness is greater than that of not performing the act, judging it to be moral if it could be so widely adopted. It seems that by following this maxim, the more educated the internet base is, the better they can protect their own creations. Thus, the individual act of editing an insecure hidden form field could be viewed as moral from this Rule Utilitarian point of view. To help all internet users, one should exemplify the poorly constructed application and attempt to educate all other users.
When viewing this client side data editing technique from a Social Contract perspective one must clearly understand the culture. There exists millions of websites that have all been created with varying degrees of skill. If a well constructed web server catches edited input code that should have been caught by the client, it will certainly log this and alert an administrator of a potential hack. The administrator can do whatever they like; they can ban the IP or even attempt to press legal charges (Stuttard). That being understood, tons of websites exist that have these minor vulnerabilities and don’t perform server side checks. The editor of this information must be extremely aware of what they are doing, for if they attack an application they can’t handle, they will certainly pay the price. Internet society well resembles global politics, with each person being an individual country. A weaker country would not dare attack a more powerful country, as the repercussions are direct. Likewise, countries usually only start wars they think they can win. In the internet society, knowledge is power. The more you know about your target application, the better you can understand its defenses. One must take great care and time to map out the entire application, and clearly understand its logic, before beginning to tamper with it. Thus, if one can find glaring logical flaws in another’s work, and be considered ‘socially more powerful’ it is almost expected that they exploit the weaker party (Hacking without all the jail time). In essence, editing the hidden form fields is acceptable from a Social Contract stand point, but be aware of the consequences. To follow social guidelines, one should be completely aware of their relative power in a target application’s domain, and expect hostile results when submitting customized hidden data.
To analyze the scenario of editing hidden form fields with Nietzsche’s Master theory, one must seek out a competitive advantage. Through in-depth understanding of how hidden form fields work, one can easily leverage vulnerabilities over weaker parties, and even more importantly protect their own work. Simple soft-hacking can easily set one apart from the masses, and give them superior advantages. A user can quickly fill out a web form leaving nothing blank and satisfy the client appearing to be a normal user. In a blink, that user can catch his own HTTP PUT request with a proxy, and scramble all the personal information while still registering on said web server (Stuttard). This can be done quickly, in real time and allows the user to be the final judge of any data they submit, rather than the client. Thus, if one can successfully manipulate a vulnerability like this, Nietzsche would certainly deem it moral. To survive in such a malicious internet, one must learn as much as they can about security and relevant knowledge, and practice these techniques frequently to be the best in the field.
By now, it should be obvious that HTML hidden form fields are quite insecure, and that tampering with them opens an ethical can of worms. Most of these hidden form fields are extremely situational and can be difficult to apply theory to without experiencing the problem (Stuttard). Although the examples I provided offer great insight into many real-world problems, they are merely generalizations and thought experiments. The reader can draw important morals from each of the previous paragraphs, which they will hopefully meld with their own ethical theories. Ideally, the reader will develop their own moral code, which they have built from a plethora of diverse sources. Personally, I feel that the user should have the right to send whatever data they choose to the server. I understand how the server must anticipate a given form of input, where client side controls really come into play; so if a user chooses to bypass the client side controls, they should at least respect the server and not feed it incompatible data.
Ethical Section Two
Another famous method for the client to store and transmit data is through thick-clients. These are usually implemented through Java, Flash, ActiveX or byte-code. They are used with very heavy client side applications, like Flash games or Java interfaces (Stuttard). Thick-clients find a way to obfuscate code so that vital data is well concealed. The techniques work to varying degrees, although depending on the language and algorithm they can be reverse-engineered. Thick-clients are usually embedded into the code, and can vulnerabilities that the application designer might never see (Budd). It usually takes a skilled programmer, fluent in many web languages, against automated platforms or novice web designers. When fields like this are exploited, they can bypass authentication methods, edit on screen scores or grades, or even edit objects in flash games (Stuttard). Tampering with local data like this requires great skill but also carries gigantic moral implications (Hacking without all the jail time). In the following section I will ethically scrutinize this soft-hack method using the established ethical spectrum.
To properly analyze the moral predicament of editing thick-clients in heavy server side applications from a Kantian perspective, one must run the scenario against Kant’s categorical imperatives. Following Kant’s first categorical imperative one must universalize this situation, “Users should be allowed to de-obfuscate their thick-client data, and ultimately send whatever they like to the server.” If we were to attempt to universalize this law, it would completely remove the competitive element of multi-user internet games. Online gambling would go bankrupt if people submitted a perfect 21 every hand, and internet based game rankings would no longer hold the prestige that they currently get. By universalizing this scenario, all competition in these smooth running virtual machines will be eliminated, destroying the very ideal they were designed for. To progress to Kant’s second maxim, people would no longer treat these games themselves as a challenge, but rather the challenge would become focused around hacking their score. All the work put into the game would go wayside, and the designer would be constantly disrespected as users bypass the designer’s hard work. Tampering with thick-clients would defiantly be considered immoral according to Kant. To be a dutiful application user, one should respect the fact that thick-clients are used to maintain the application’s integrity.
Observing the action of editing a thick-client from a Rule Utilitarian view, one must judge if it could universally produce a greater net happiness. Assuming that no one tampers with thick-clients, I will call this neutral happiness 0. Following the Rule Utilitarian maxim, I constructed this hypothesis, “3/4 of all internet users not only understand how thick-clients work, but can actually de-obfuscate them!” If this scenario were reality, the server would have to implement more server side securities to catch cheaters and hackers. This would make these applications run much slower, as they would have to constantly communicate every normal action back to server, simulating it there as well (Stuttard). Poorly written applications would just have hackers jostling for top scores; most likely frustrating each other more than enjoying the work, resulting in -10 net happiness points. Meanwhile, well written applications would take an exuberant amount of time due to so much redundant communication; this would most likely frustrate all parties involved resulting in another -10 net happiness points. Weighing the net happiness of universalizing this maxim against the neutral happiness, one can see that if all users could de-obfuscate these thick clients than the average user would likely be less happy, as they have made their applications run slower to compensate for security holes. Therefore, one should conclude that tampering with vital thick-client information should be considered immoral from a Rule Utilitarian view. To help all internet users, one should never disclose shortcuts to de-obfuscating these thick-clients, as many generic thick-clients are embedded into a multitude of client side applications.
When scrutinizing the editing of thick-clients from a Social Contract perspective, one must abide to the rules that one had agreed to. If one is altering thick-clients on a gambling website, they are breaking the ‘terms and usage agreements’ they settled on by cheating. If one breaks any digital agreement that one made with that application, they are clearly acting immorally according to the Social Contract maxim. One should always honor agreements it has made with server, but if the application doesn’t present a ‘terms and usage agreements’ is it morally acceptable to edit the thick-client data? It is obvious that the application went through great measures to implement the thick-client security, rather than just transmitting the sensitive data via URL or hidden form fields (Stuttard). One should assume that the server admin will be very angry if they find someone tampering with their thick-client, and will certainly pursue them. It should be easy to tell that modifying critical data inside thick-clients is immoral from a Social Contract standpoint. To follow social guidelines, one should be completely aware of the ‘Terms and Usage Agreements’, and not pain-staking reverse engineer a web designer’s hard work and obfuscation algorithms.
When analyzing the issue of editing thick-clients with Nietzsche’s Master theories, one must consider survival and natural selection. A professional hacker could easily generate his income by subtly cheating on a number of different online gambling applications. If the hacker only takes a modest amount to live off of, Nietzsche would consider this to be moral. If the hacker does not get greedy, and can avoid being caught, he will become better with each excursion. Natural selection determines that only the greatest hackers will be able to remain active, giving them a strong experience advantage. Not only will this philosophy be a catalyst for the natural selection of hackers, but at the same time it will cause natural selection in the security field. As a professional hacker breaks through thick-client obfuscations, this process will weed out the weakest obfuscations, letting only the strongest survive. Nietzsche would actually consider the act of tampering with the thick-clients moral, as they lead to natural selection and the birth of the best. To survive in such a competitive internet, one must use every advantage at their exposal, and grow to be the best they can.
After analyzing this dilemma from four differing points of view, one should understand that there is never one ‘correct’ answer. Ethical philosophies can be very situational, and sometimes confusing on which philosophy is more applicable. In the end, readers should understand that the defined ethical spectrum is merely an attempt at creating an objective lens through which to view the problem. Readers should not have to side with any particular theory, but rather all theories should contribute to their understanding of the situation. A person who has seen multiple sides to an argument is more likely to make a fair, subjective moral decision. Finally, before any action is taken, one must be mentally certain and morally sure of their decision.


Conclusion
After that long ethical battle, I emerge with some shining, golden knowledge. By now, it should be clear that many web applications rely on varying degrees of client side controls. They are used for diverse and different reasons, and even the same controls can respond differently in different context (Stuttard). With all of this understood, one should take absolute care to completely understand an application before they even attempt to edit data. To understand an application, it goes beyond just understanding the language or even viewing the source of the application. One must not only understand the logical mechanism being implemented in the client control, but one must also attempt to understand all server side mechanisms (Stuttard). This can require extensive mapping of the application. Even when the user understands what they are up against, they should not yet start any type of hack or attack. Next, the user must critically and ethically evaluate their plan of action. This research paper has exposed more than just ethical theories, one important lesson that I have learned is: the more perspectives one can get on a situation the more objective insight one gains. My best advice to anyone wanting to attempt these soft-hack techniques is that you can never do too much research. Whether it is about the application, or just understanding the moral weight of the situation, it can’t hurt to sit down and think for a bit!

Works Cited – Daniel Borges
Publisher Reviewed Works-
Budd, Christopher, and Adrian Stone. "Monthly Security Bulletin Webcast Q&A." Interview. Weblog post. Microsoft Security Response Center. 16 Feb. 2009. 9 Apr. 2009 .
Du, Xaiochen, and Hong Huang. "Web application bypass testing." IEEE Xplore 28 Sept. 2004. IEEE. 9 Apr. 2009 .
Stuttard, Dafydd. The Web Application Hacker's Handbook. Indianapolis: Wiley Inc, 2008.
Quinn, Michael. Ethics of the information age. 3rd. Seattle: Addison-Wesily, 2009. Print.
Peer Reviewed Works-
Stuttard, Dafydd. "The Web Application Hacker's Handbook." Wahh. Ed. Marcus Pinto. 1 Jan. 2007. 9 Apr. 2009 .
"Hacking without all the jail time." Ha.ckers. 6 Apr. 2009. SecTheroy Security Consulting. 9 Apr. 2009 .