12 min read Intermediate Desktop

Thick Client Penetration Testing

Thick client pentesting is basically testing desktop or rich applications like Windows or Java/.net apps to see if there are any security holes. It's not just about the server, we also look at how the app stores data on the computer, how it talks to the server, and whether someone could tamper with it or reverse-engineer.

Stay Updated with Official OWASP Guide: https://owasp.org/www-project-desktop-app-security-top-10/

Amazing Resources

S.N	Credit	Resources links
1.	CyberArk	Thick Client Penetration Testing Methodology
2.	Dark Relay	Thick Client Penetration Testing
3.	Payatu	Thick Client Penetration Testing
4.	QualySec	Thick Client Pen Testing: A Comprehensive Guide
5.	Medium	Thick Client Security Testing: The Essential Guide
6.	Infosec Writeups	Thick Client Pentest: Modern Approaches and Techniques (Part 1)
7.	Threat Intelligence	Thick Client Application Penetration Test

Common Tools

S.N	Common Tools	Category	Common Vulnerability
1.	Fiddler/Burpsuite/Echo Mirage	Dynamic Analysis & Traffic Interception	Man-in-the-Middle (MITM) Attacks,Common Web Application Testing
2.	Procmon	Process Monitoring	DLL Hijacking, Insecure File Stoarge
3.	Strings.exe	Static Analysis	Information Disclosure
4.	Sysinternals Suite	System Analysis	Multiple Tools combination for different task
5.	Nmap	Network Scanning	Open Ports & Service Enumeration
6.	Testssl	SSL/TLS Testing	Weak SSL/TLS Configurations
7.	Process Hacker	Process Monitoring	Memory Manipulationm memory dump
8.	Dnspy/ Dot Peek/ VB decompiler	Reverse Engineering/Decompilation	Source Code Disclosure
9.	de4dot	Reverse Engineering/Deobfuscation	Deobfuscation of .NET Assemblies
10.	Wireshark	Packet Analysis	Unencrypted Data Exposure
11.	Ollydbg	Debugging/Reverse Engineering	Binary Manipulation
12.	.Net Reflector	Reverse Engineering/Decompilation	Application Logic Flaws
13.	Winhex	Forensic Analysis	Data Extraction & Recovery
14.	SigCheck	File Integrity Verification	Verification of Digital Signatures
15.	Ghidra	Binary Analysis & Reverse Engineering	Static & Dynamic Binary Analysis
16.	Radare2	Binary Analysis & Reverse Engineering	Malware Analysis, Vulnerability Discovery
17.	IDA Pro	Binary Analysis & Reverse Engineering	Disassembly & Reverse Engineering

Commaon programming laguage used for Thick Client application development

S.N	Language
1.	.NET
2.	Java
3.	C/C++
4.	Microsoft Silverlight

Common Vulnerability

S.N	Vulnerability
1.	Hard-Coded Secrets in source code
2.	Insecure Communication
3.	Buffer Overflow
4.	DLL Hijacking
5.	DEBUG is enabled
6.	SQL Injection
7.	Improper Exception Handling
8.	Command Injection
9.	Information Disclosure by Stack Trace Error
10.	Insecure Direct Object References (IDOR)
11.	Security Misconfiguration
12.	Unvalidated Redirects and Forwards
13.	Broken Authentication
14.	Insecure Deserialization
15.	Missing Function-Level Access Control
16.	Remote Code Execution (RCE)
17.	Application Logs in Clear Text

Check List

S.N	Credit	Resources links
1.	Hari-prasaanth	Thick Client Pentest Checklist
2.	m14r41	PentestingEverything Repository

Github Resouces

S.N	Credit	Resources Links
1.	RaKKeN	RaKKeN - Thick Client Penetration Testing

Vulnerable Thick Client Application

S.N	Credit	Resources Links
1.	srini0x00	DVTA
2.	kartikdurg	Terrible Thick Client
3.	Warxim	Vucsa
4.	DarkRelayLabs	VWA
5.	NetSPI	BetaFast

THICK CLIENT PENTESTING CHECKLIST

INFORMATION GATHERING

1. Information Gathering

☐ Find out the application architecture (two-tier or three-tier)
☐ Find out the technologies used (languages and frameworks)
☐ Identify network communication
☐ Observe the application process
☐ Observe each functionality and behavior of the application
☐ Identify all the entry points
☐ Analyze the security mechanism (authorization and authentication)

2. Tools Used

GUI TESTING

1. Test For GUI Object Permission

☐ Display hidden form object
☐ Try to activate disabled functionalities
☐ Try to uncover the masked password

2. Test GUI Content

☐ Look for sensitive information

3. Test For GUI Logic

☐ Try for access control and injection-based vulnerabilities
☐ Bypass controls by utilizing intended GUI functionality
☐ Check improper error handling
☐ Check weak input sanitization
☐ Try privilege escalation (unlocking admin features to normal users)
☐ Try payment manipulation

4. Tools Used

FILE TESTING

1. Test For Files Permission

☐ Check permission for each and every file and folder

2. Test For File Continuity

☐ Check strong naming
☐ Authenticate code signing

3. Test For File Content Debugging

☐ Look for sensitive information on the file system (symbols, sensitive)
☐ Look for sensitive information in the config file
☐ Look for hardcoded encryption data
☐ Look for clear text storage of sensitive data
☐ Look for side-channel data leakage
☐ Look for unreliable logs

4. Test For File And Content Manipulation

☐ Try framework backdooring
☐ Try DLL preloading
☐ Perform race condition check
☐ Test for files and content replacement
☐ Test for client-side protection bypass using reverse engineering

5. Test For Function Exported

☐ Try to find the exported functions
☐ Try to use the exported functions without authentication

6. Test For Public Methods

☐ Make a wrapper to gain access to public methods without authentication

7. Test For Decompile And Application Rebuild

☐ Try to recover the original source code, passwords, keys
☐ Try to decompile the application
☐ Try to rebuild the application
☐ Try to patch the application

8. Test For Decryption And Deobfuscation

☐ Try to recover original source code
☐ Try to retrieve passwords and keys
☐ Test for lack of obfuscation

9. Test For Disassemble And Reassemble

☐ Try to build a patched assembly

10. Tools Used

REGISTRY TESTING

1. Test For Registry Permissions

☐ Check read access to the registry keys
☐ Check write access to the registry keys

2. Test For Registry Contents

☐ Inspect the registry contents
☐ Check for sensitive info stored in the registry
☐ Compare the registry before and after executing the application

3. Test For Registry Manipulation

☐ Try for registry manipulation
☐ Try to bypass authentication by registry manipulation
☐ Try to bypass authorization by registry manipulation

4. Tools Used

☐ Regshot
☐ Procmon
☐ AccessEnum

NETWORK TESTING

1. Test For Network

☐ Check for sensitive data in transit
☐ Try to bypass firewall rules
☐ Try to manipulate network traffic

2. Tools Used

☐ Wireshark
☐ TCPView

ASSEMBLY TESTING

1. Test For Assembly

☐ Verify Address Space Layout Randomization (ASLR)
☐ Verify SafeSEH
☐ Verify Data Execution Prevention (DEP)
☐ Verify strong naming
☐ Verify ControlFlowGuard
☐ Verify HighentropyVA

2. Tools Used

☐ PESecurity

MEMORY TESTING

1. Test For Memory Content

☐ Check for sensitive data stored in memory

2. Test For Memory Manipulation

☐ Try for memory manipulation
☐ Try to bypass authentication by memory manipulation
☐ Try to bypass authorization by memory manipulation

3. Test For Runtime Manipulation

☐ Try to analyze the dump file
☐ Check for process replacement
☐ Check for modifying assembly in the memory
☐ Try to debug the application
☐ Try to identify dangerous functions
☐ Use breakpoints to test each and every functionality

4. Tools Used

☐ Process Hacker
☐ HxD
☐ Strings

TRAFFIC TESTING

1. Test For Traffic

☐ Analyze the flow of network traffic
☐ Try to find sensitive data in transit

2. Tools Used

COMMON VULNERABILITIES TESTING

1. Test For Common Vulnerabilities

☐ Try to decompile the application
☐ Try reverse engineering
☐ Try to test with OWASP WEB Top 10
☐ Try to test with OWASP API Top 10
☐ Test for DLL Hijacking
☐ Test for signature checks (Use Sigcheck)
☐ Test for binary analysis (Use Binscope)
☐ Test for business logic errors
☐ Test for TCP/UDP attacks
☐ Test with automated scanning tools (Use VisualCode Grepper - VCG)

Thick Client Application Security Testing

Thick client applications are any that are installed locally on a user's desktop/laptop. These applications are full-featured and can run independently without being connected to the Internet, unlike web applications, which need to be connected to the Internet all the time. Some examples of thick client applications are:

Computer games like Call of Duty, Uncharted, etc.
Web browsers
Music players
Video and chat tools like Teams, Zoom, Slack, etc.

Thick client applications come in two flavors

Two-Tier Applications	Three-Tier Applications
These are self-contained applications where the server/database and client are installed on the same machine or same internal network. Traffic from the thick client goes to the server directly without passing through an intermediary like the Internet or application server	These applications can connect over the Internet and have their business logic processed by an application server. The thick client resides on the user's desktop while the application server and database might be present elsewhere. Network connections and interactions typically usually happen using HTTP/S protocols, which allow for traditional requests / responses to occur. In addition, some thick clients may use alternate protocols like FTP/S, TCP, UDP, etc

Two-Tier Applications

Three-Tier Applications

These are self-contained applications where the server/database and client are installed on the same machine or same internal network. Traffic from the thick client goes to the server directly without passing through an intermediary like the Internet or application server

These applications can connect over the Internet and have their business logic processed by an application server. The thick client resides on the user's desktop while the application server and database might be present elsewhere. Network connections and interactions typically usually happen using HTTP/S protocols, which allow for traditional requests / responses to occur. In addition, some thick clients may use alternate protocols like FTP/S, TCP, UDP, etc

Tool Name	Description
Echo Mirage	This is the Swiss army knife of thick client testing tools. Echo Mirage, which is similar to Burp / OWASP Zap, allows for traffic between client and server to be intercepted. Unlike Burp, there is no certificate to be installed locally (even though Echo Mirage can intercept encrypted traffic between client and server).
Sysinternals Suite	This comprehensive suite of tools from Microsoft allows testers to see what processes are spawned by the thick client application and the registry entries created or accessed by the thick client. Procmon and Regmon are two of the common tools in Sysinternals used to check for processes and registry entries. The suite also contains many other tools.
Mallory	This Linux-based tool can be used to capture TCP / UDP traffic.
dnspy	.Net based thick clients may have hardcoded data or source code which may not be obfuscated. dnSpy allows for deobfuscation and inspection of DLL files.
NoPE Burp Extension	Burp has an invisible mode which allows for capturing traffic for proxy-unaware thick clients. This can be done by binding the loopback address to the remote domain / IP address. BAPP has NoPE Burp Extension, which is a good add-on for working with thick client traffic.
Java Snoop	For Java thick clients, this allows for interception of any method in the JVM. Java Snoop works on existing Java processes by attaching itself to the running process.
Ollydbg	Useful for reverse-engineering EXE and DLL files. Hex Editors and Strings are other tools which can be useful when searching for strings / keywords.
Nmap	Useful for inspecting ports used by the thick client.
Spy++	This ships with Visual Studio and can be used for GUI Tampering.

S.N	Credits
1	Viraj Moto
2	optiv.com

S.N	On the Basis of	Thin Client	Thick Client
1.	Basic	Thin client is a lightweight computer that relies on the resources of the host computer.	The thick client relies lightly upon the server and provides rich functionality.
2.	Datastore	In thin client, data is stored in servers.	In thick client, data is stored locally.
3.	Network Latency	In thin client, a fast and robust network connection is required.	It can work with a slow network connection.
4.	Offline Working	There is no offline working.	Offline working is possible in thick client.
5.	Deployment	The deployment is easier in thin client.	Unlike the thin client, the deployment in thick client is expensive.
6.	Data Validation	In thin client, the data verification is done at the server side.	In thick client, the data verification is done at the client side.
7.	Local Resources	It generally consumes less local resources.	Unlike thin client, it consumes more local resources.
8.	Security	In terms of security, they are more secure than thick clients as they have fewer security threats.	In terms of security, they are less secure than thin clients as they have more security threats.

Amazing Resources​

Common Tools​

Commaon programming laguage used for Thick Client application development​

Common Vulnerability​

Check List​

Github Resouces​

Vulnerable Thick Client Application​

THICK CLIENT PENTESTING CHECKLIST

INFORMATION GATHERING​

1. Information Gathering​

2. Tools Used​

GUI TESTING​

1. Test For GUI Object Permission​

2. Test GUI Content​

3. Test For GUI Logic​

4. Tools Used​

FILE TESTING​

1. Test For Files Permission​

2. Test For File Continuity​

3. Test For File Content Debugging​

4. Test For File And Content Manipulation​

5. Test For Function Exported​

6. Test For Public Methods​

7. Test For Decompile And Application Rebuild​

8. Test For Decryption And Deobfuscation​

9. Test For Disassemble And Reassemble​

10. Tools Used​

REGISTRY TESTING​

1. Test For Registry Permissions​

2. Test For Registry Contents​

3. Test For Registry Manipulation​

4. Tools Used​

NETWORK TESTING​

1. Test For Network​

2. Tools Used​

ASSEMBLY TESTING​

1. Test For Assembly​

2. Tools Used​

MEMORY TESTING​

1. Test For Memory Content​

2. Test For Memory Manipulation​

3. Test For Runtime Manipulation​

4. Tools Used​

TRAFFIC TESTING​

1. Test For Traffic​

2. Tools Used​

COMMON VULNERABILITIES TESTING​

1. Test For Common Vulnerabilities​

Thick Client Application Security Testing​

Amazing Resources

Common Tools

Commaon programming laguage used for Thick Client application development

Common Vulnerability

Check List

Github Resouces

Vulnerable Thick Client Application

INFORMATION GATHERING

1. Information Gathering

2. Tools Used

GUI TESTING

1. Test For GUI Object Permission

2. Test GUI Content

3. Test For GUI Logic

4. Tools Used

FILE TESTING

1. Test For Files Permission

2. Test For File Continuity

3. Test For File Content Debugging

4. Test For File And Content Manipulation

5. Test For Function Exported

6. Test For Public Methods

7. Test For Decompile And Application Rebuild

8. Test For Decryption And Deobfuscation

9. Test For Disassemble And Reassemble

10. Tools Used

REGISTRY TESTING

1. Test For Registry Permissions

2. Test For Registry Contents

3. Test For Registry Manipulation

4. Tools Used

NETWORK TESTING

1. Test For Network

2. Tools Used

ASSEMBLY TESTING

1. Test For Assembly

2. Tools Used

MEMORY TESTING

1. Test For Memory Content

2. Test For Memory Manipulation

3. Test For Runtime Manipulation

4. Tools Used

TRAFFIC TESTING

1. Test For Traffic

2. Tools Used

COMMON VULNERABILITIES TESTING

1. Test For Common Vulnerabilities

Thick Client Application Security Testing