Thick Client Penetration Testing
Thick client pentesting is basically testing desktop or rich applications like Windows or Java/.net apps to see if there are any security holes. It's not just about the server, we also look at how the app stores data on the computer, how it talks to the server, and whether someone could tamper with it or reverse-engineer.
Stay Updated with Official OWASP Guide: https://owasp.org/www-project-desktop-app-security-top-10/
Amazing Resources
| S.N | Credit | Resources links |
|---|---|---|
| 1. | CyberArk | Thick Client Penetration Testing Methodology |
| 2. | Dark Relay | Thick Client Penetration Testing |
| 3. | Payatu | Thick Client Penetration Testing |
| 4. | QualySec | Thick Client Pen Testing: A Comprehensive Guide |
| 5. | Medium | Thick Client Security Testing: The Essential Guide |
| 6. | Infosec Writeups | Thick Client Pentest: Modern Approaches and Techniques (Part 1) |
| 7. | Threat Intelligence | Thick Client Application Penetration Test |
Common Tools
| S.N | Common Tools | Category | Common Vulnerability |
|---|---|---|---|
| 1. | Fiddler/Burpsuite/Echo Mirage | Dynamic Analysis & Traffic Interception | Man-in-the-Middle (MITM) Attacks,Common Web Application Testing |
| 2. | Procmon | Process Monitoring | DLL Hijacking, Insecure File Stoarge |
| 3. | Strings.exe | Static Analysis | Information Disclosure |
| 4. | Sysinternals Suite | System Analysis | Multiple Tools combination for different task |
| 5. | Nmap | Network Scanning | Open Ports & Service Enumeration |
| 6. | Testssl | SSL/TLS Testing | Weak SSL/TLS Configurations |
| 7. | Process Hacker | Process Monitoring | Memory Manipulationm memory dump |
| 8. | Dnspy/ Dot Peek/ VB decompiler | Reverse Engineering/Decompilation | Source Code Disclosure |
| 9. | de4dot | Reverse Engineering/Deobfuscation | Deobfuscation of .NET Assemblies |
| 10. | Wireshark | Packet Analysis | Unencrypted Data Exposure |
| 11. | Ollydbg | Debugging/Reverse Engineering | Binary Manipulation |
| 12. | .Net Reflector | Reverse Engineering/Decompilation | Application Logic Flaws |
| 13. | Winhex | Forensic Analysis | Data Extraction & Recovery |
| 14. | SigCheck | File Integrity Verification | Verification of Digital Signatures |
| 15. | Ghidra | Binary Analysis & Reverse Engineering | Static & Dynamic Binary Analysis |
| 16. | Radare2 | Binary Analysis & Reverse Engineering | Malware Analysis, Vulnerability Discovery |
| 17. | IDA Pro | Binary Analysis & Reverse Engineering | Disassembly & Reverse Engineering |
Commaon programming laguage used for Thick Client application development
| S.N | Language |
|---|---|
| 1. | .NET |
| 2. | Java |
| 3. | C/C++ |
| 4. | Microsoft Silverlight |
Common Vulnerability
| S.N | Vulnerability |
|---|---|
| 1. | Hard-Coded Secrets in source code |
| 2. | Insecure Communication |
| 3. | Buffer Overflow |
| 4. | DLL Hijacking |
| 5. | DEBUG is enabled |
| 6. | SQL Injection |
| 7. | Improper Exception Handling |
| 8. | Command Injection |
| 9. | Information Disclosure by Stack Trace Error |
| 10. | Insecure Direct Object References (IDOR) |
| 11. | Security Misconfiguration |
| 12. | Unvalidated Redirects and Forwards |
| 13. | Broken Authentication |
| 14. | Insecure Deserialization |
| 15. | Missing Function-Level Access Control |
| 16. | Remote Code Execution (RCE) |
| 17. | Application Logs in Clear Text |
Check List
| S.N | Credit | Resources links |
|---|---|---|
| 1. | Hari-prasaanth | Thick Client Pentest Checklist |
| 2. | m14r41 | PentestingEverything Repository |
Github Resouces
| S.N | Credit | Resources Links |
|---|---|---|
| 1. | RaKKeN | RaKKeN - Thick Client Penetration Testing |
Vulnerable Thick Client Application
| S.N | Credit | Resources Links |
|---|---|---|
| 1. | srini0x00 | DVTA |
| 2. | kartikdurg | Terrible Thick Client |
| 3. | Warxim | Vucsa |
| 4. | DarkRelayLabs | VWA |
| 5. | NetSPI | BetaFast |
THICK CLIENT PENTESTING CHECKLIST
INFORMATION GATHERING
1. Information Gathering
- Find out the application architecture (two-tier or three-tier)
- Find out the technologies used (languages and frameworks)
- Identify network communication
- Observe the application process
- Observe each functionality and behavior of the application
- Identify all the entry points
- Analyze the security mechanism (authorization and authentication)
2. Tools Used
GUI TESTING
1. Test For GUI Object Permission
- Display hidden form object
- Try to activate disabled functionalities
- Try to uncover the masked password
2. Test GUI Content
- Look for sensitive information
3. Test For GUI Logic
- Try for access control and injection-based vulnerabilities
- Bypass controls by utilizing intended GUI functionality
- Check improper error handling
- Check weak input sanitization
- Try privilege escalation (unlocking admin features to normal users)
- Try payment manipulation
4. Tools Used
FILE TESTING
1. Test For Files Permission
- Check permission for each and every file and folder
2. Test For File Continuity
- Check strong naming
- Authenticate code signing
3. Test For File Content Debugging
- Look for sensitive information on the file system (symbols, sensitive)
- Look for sensitive information in the config file
- Look for hardcoded encryption data
- Look for clear text storage of sensitive data
- Look for side-channel data leakage
- Look for unreliable logs
4. Test For File And Content Manipulation
- Try framework backdooring
- Try DLL preloading
- Perform race condition check
- Test for files and content replacement
- Test for client-side protection bypass using reverse engineering
5. Test For Function Exported
- Try to find the exported functions
- Try to use the exported functions without authentication
6. Test For Public Methods
- Make a wrapper to gain access to public methods without authentication
7. Test For Decompile And Application Rebuild
- Try to recover the original source code, passwords, keys
- Try to decompile the application
- Try to rebuild the application
- Try to patch the application
8. Test For Decryption And Deobfuscation
- Try to recover original source code
- Try to retrieve passwords and keys
- Test for lack of obfuscation
9. Test For Disassemble And Reassemble
- Try to build a patched assembly
10. Tools Used
REGISTRY TESTING
1. Test For Registry Permissions
- Check read access to the registry keys
- Check write access to the registry keys
2. Test For Registry Contents
- Inspect the registry contents
- Check for sensitive info stored in the registry
- Compare the registry before and after executing the application
3. Test For Registry Manipulation
- Try for registry manipulation
- Try to bypass authentication by registry manipulation
- Try to bypass authorization by registry manipulation
4. Tools Used
NETWORK TESTING
1. Test For Network
- Check for sensitive data in transit
- Try to bypass firewall rules
- Try to manipulate network traffic
2. Tools Used
ASSEMBLY TESTING
1. Test For Assembly
- Verify Address Space Layout Randomization (ASLR)
- Verify SafeSEH
- Verify Data Execution Prevention (DEP)
- Verify strong naming
- Verify ControlFlowGuard
- Verify HighentropyVA
2. Tools Used
MEMORY TESTING
1. Test For Memory Content
- Check for sensitive data stored in memory
2. Test For Memory Manipulation
- Try for memory manipulation
- Try to bypass authentication by memory manipulation
- Try to bypass authorization by memory manipulation
3. Test For Runtime Manipulation
- Try to analyze the dump file
- Check for process replacement
- Check for modifying assembly in the memory
- Try to debug the application
- Try to identify dangerous functions
- Use breakpoints to test each and every functionality
4. Tools Used
TRAFFIC TESTING
1. Test For Traffic
- Analyze the flow of network traffic
- Try to find sensitive data in transit
2. Tools Used
COMMON VULNERABILITIES TESTING
1. Test For Common Vulnerabilities
- Try to decompile the application
- Try reverse engineering
- Try to test with OWASP WEB Top 10
- Try to test with OWASP API Top 10
- Test for DLL Hijacking
- Test for signature checks (Use Sigcheck)
- Test for binary analysis (Use Binscope)
- Test for business logic errors
- Test for TCP/UDP attacks
- Test with automated scanning tools (Use VisualCode Grepper - VCG)
Thick Client Application Security Testing
Thick client applications are any that are installed locally on a user's desktop/laptop. These applications are full-featured and can run independently without being connected to the Internet, unlike web applications, which need to be connected to the Internet all the time. Some examples of thick client applications are:
- Computer games like Call of Duty, Uncharted, etc.
- Web browsers
- Music players
- Video and chat tools like Teams, Zoom, Slack, etc.
Thick client applications come in two flavors
| Two-Tier Applications | Three-Tier Applications |
|---|---|
| These are self-contained applications where the server/database and client are installed on the same machine or same internal network. Traffic from the thick client goes to the server directly without passing through an intermediary like the Internet or application server | These applications can connect over the Internet and have their business logic processed by an application server. The thick client resides on the user's desktop while the application server and database might be present elsewhere. Network connections and interactions typically usually happen using HTTP/S protocols, which allow for traditional requests / responses to occur. In addition, some thick clients may use alternate protocols like FTP/S, TCP, UDP, etc |
| Tool Name | Description |
|---|---|
| Echo Mirage | This is the Swiss army knife of thick client testing tools. Echo Mirage, which is similar to Burp / OWASP Zap, allows for traffic between client and server to be intercepted. Unlike Burp, there is no certificate to be installed locally (even though Echo Mirage can intercept encrypted traffic between client and server). |
| Sysinternals Suite | This comprehensive suite of tools from Microsoft allows testers to see what processes are spawned by the thick client application and the registry entries created or accessed by the thick client. Procmon and Regmon are two of the common tools in Sysinternals used to check for processes and registry entries. The suite also contains many other tools. |
| Mallory | This Linux-based tool can be used to capture TCP / UDP traffic. |
| dnspy | .Net based thick clients may have hardcoded data or source code which may not be obfuscated. dnSpy allows for deobfuscation and inspection of DLL files. |
| NoPE Burp Extension | Burp has an invisible mode which allows for capturing traffic for proxy-unaware thick clients. This can be done by binding the loopback address to the remote domain / IP address. BAPP has NoPE Burp Extension, which is a good add-on for working with thick client traffic. |
| Java Snoop | For Java thick clients, this allows for interception of any method in the JVM. Java Snoop works on existing Java processes by attaching itself to the running process. |
| Ollydbg | Useful for reverse-engineering EXE and DLL files. Hex Editors and Strings are other tools which can be useful when searching for strings / keywords. |
| Nmap | Useful for inspecting ports used by the thick client. |
| Spy++ | This ships with Visual Studio and can be used for GUI Tampering. |
| S.N | Credits |
|---|---|
| 1 | Viraj Moto |
| 2 | optiv.com |
| S.N | On the Basis of | Thin Client | Thick Client |
|---|---|---|---|
| 1. | Basic | Thin client is a lightweight computer that relies on the resources of the host computer. | The thick client relies lightly upon the server and provides rich functionality. |
| 2. | Datastore | In thin client, data is stored in servers. | In thick client, data is stored locally. |
| 3. | Network Latency | In thin client, a fast and robust network connection is required. | It can work with a slow network connection. |
| 4. | Offline Working | There is no offline working. | Offline working is possible in thick client. |
| 5. | Deployment | The deployment is easier in thin client. | Unlike the thin client, the deployment in thick client is expensive. |
| 6. | Data Validation | In thin client, the data verification is done at the server side. | In thick client, the data verification is done at the client side. |
| 7. | Local Resources | It generally consumes less local resources. | Unlike thin client, it consumes more local resources. |
| 8. | Security | In terms of security, they are more secure than thick clients as they have fewer security threats. | In terms of security, they are less secure than thin clients as they have more security threats. |