The era of cracked games taught us something: licensing was never just about payments. It was always about security.
Working from a single trial account, the Zerotak team activated full enterprise functionality on a Microsoft Office Add-in without touching authentication, the backend, or Microsoft identity services. No stolen credentials. No server exploit. Just the runtime logic the add-in trusted to enforce its own licensing.
The Engagement
The client builds a SaaS product distributed in part as a Microsoft Office Add-in. The question they wanted answered was narrow and practical: can a trial user obtain enterprise-level functionality without paying for it?
We modeled a realistic adversary, a legitimate user with valid trial access and the motivation to escalate their own entitlement. Scope deliberately excluded authentication bypass and backend compromise. The point was not to break in. The point was to test whether the add-in could be trusted to enforce the difference between trial and enterprise once a user was already inside.
- Industry: SaaS
- Location: Europe
- Delivery: Remote
Methodology
The assessment focused on the client-side runtime, where the add-in actually makes its licensing decisions. Our approach combined several angles:
- Desktop application security testing, covering local runtime behavior and client-side enforcement points
- Licensing and entitlement validation review, mapping how the product gates trial versus enterprise features
- Runtime manipulation, including logic tampering, state manipulation, and bypass of validation flows
- Client to service interaction testing, examining request consistency, entitlement assertions, and trust boundaries
- Reverse engineering of the client-side code, including decompilation, deobfuscation, and debugging
All testing ran against a dummy target account under controlled conditions, with no impact on real users and no operational disruption. The work was aligned with the OWASP Application Security Verification Standard and other multiple industry standards.
Critical Finding: Enterprise License Activation via Runtime Manipulation
The add-in determined entitlement level at runtime, inside client-side code we could observe and influence. That single design choice was enough.
To reach the relevant logic, we decompiled and deobfuscated the add-in. The application shipped obfuscated, which slowed analysis but did not prevent it. Once the code was readable, we located the licensing validation logic running locally, identified the runtime state used to decide entitlement, and manipulated that state so the add-in treated a trial identity as enterprise-licensed. The result was immediate. Enterprise features became available, fully functional, with no valid enterprise license behind them.
Enterprise access was achieved solely through runtime manipulation. No authentication flaw. No server-side vulnerability. The add-in granted privileged functionality because it asked the wrong component whether the user deserved it, and that component was inside our reach.
The critical issue is structural, not a single bug. The add-in placed too much trust in client-side state to drive its licensing decisions. We influenced decision-making by interacting with the add-in in ways it did not expect, forced inconsistent entitlement states during execution, and triggered logic paths that did not re-validate entitlement at the moments that mattered. Patching one manipulation path leaves the others open as long as the architecture treats client-side state as authoritative.
The lesson here is direct. Obfuscation is not a security control. It raises the cost of analysis, but anything that runs on the client can be read, understood, and altered by whoever controls that client. Entitlement, licensing, and any decision that protects revenue or access must be validated server-side, where the user cannot reach the logic or the state behind it. Any decision that matters belongs on infrastructure the user does not control.
What This Demonstrated
Licensing and entitlement controls can be bypassed whenever validation runs at runtime and trust boundaries depend on client-side state. Enterprise functionality was obtained from a trial account through runtime behavior alone, without exploiting authentication or backend systems.
The fix is architectural, not cosmetic. Entitlement decisions belong on the server side, behind boundaries the client cannot influence. Feature gating that carries financial weight should be validated where the attacker has no reach, and client-side software should ship with tamper-resistant mechanisms that make local manipulation expensive rather than trivial.
If your revenue depends on the difference between trial and paid, that difference has to be enforced somewhere the user cannot edit. A login screen is not your only attack surface. Sometimes the most valuable thing in your product is the line between two tiers, and that line is often the least tested.
Test your licensing before your trial users do it for you.
Zerotak‘s application security testing covers the full client-side attack surface: Office and desktop add-ins, entitlement and licensing enforcement, runtime tampering, and trust boundary design. Methodology aligned with OWASP ASVS and MITRE ATT&CK, delivered remotely with zero disruption to your production environment.
If your product enforces anything on the client, assume someone will test that boundary. Better us than them. Real findings, real remediation, zero disruption to production. Contact us at contact@zerotak.com