Thick Client Penetration Testing – A 2022 Guide with Checklist

What is a Thick Client Application?

We use them daily in the form of web browsers, games, desktop music players, messenger programs, video conferencing tools like Zoom, etc. In simple terms, Thick Client Applications are Desktop applications based on the client-server architecture. The other definition of Thick Applications is the CLIENT in the Client-Server Architecture. From Penetration Testing or “Pentesting” perspective, the Thick Client Applications are tested at the client and server end. Thick Client Applications are developed using programming languages like C/C++, .Net, JAVA, & Microsoft Silverlight, etc. Thick Clients are beneficial as they may not depend on a server on the network and yet perform the bulk of the tasks locally. However, they may require to connect with the Central Server occasionally but can work offline too. In a nutshell, the thickness of the client can be equated with the amount of processing that is done at the client side, and since in the case of Thick Client Applications, significant processing happens at the client-side, the phrase “THICK CLIENT”.

There are two types of architectures in Thick Client Applications.

2-Tier Application

In this kind of Thick Client Application, there are only two entities, a Client and a Server. There is direct communication between the entities [client and server] as there is no intermediate. Usually, the server hosts the data in the database, which the client program can access directly based on a set of protocols. Examples of 2-tier applications are desktop games, music players, Content Management Systems, Customer Relationship Management applications, etc. From a security testing perspective, 2-tier applications offer a larger attack surface for penetration testing. Pentesting 2-tier applications have better success as the client is locally available.

3-Tier Application

In the case of 3-tier Thick Client Applications, the client cannot communicate directly with the database server. There is a third entity in between – the Application Server. The client passes its request to the Application Server, which communicates with the database and serves the client with the requested data. 3-tier applications are safer than 2-tier Applications as the end-user has no direct access to the database.

Vulnerabilities in Thick Client Applications

The Hybrid Infrastructure on which the Thick Client Application usually resides poses more security challenges than web-based thin clients. To put it in simple terms, the Thick Client Application runs on the user’s system, which might not have adequate security measures in place, and attackers can exploit it. Here is where Thick Client Security, or to put it in a better perspective, Thick Client Penetration Testing, comes into the picture. Thick Client Applications attacks commonly include SQL Injection, Insecure Storage, Denial of Service [DoS], Reverse Engineering, etc.

What is Thick Client Penetration Testing?

Thick Clients are full-blown applications that can function with or without a network. Thick Client Penetration Testing [Pentesting] is a feature of Thick Client Security that scans for weaknesses in the Thick Client Application to improve the security of the Application.

Thick Client Application Testing Methodology

Discovery

Compared to Thin Client Applications, Thick Client Applications are custom-built and hence are relatively complicated. So it becomes prudent to gather all the relevant information about the Application. In this information-gathering phase, you thoroughly understand the following:

UI Elements

Inspect the UI elements of all the user levels. It would be best if you spent considerable time analyzing the permissions and functionalities associated with all the users logging in to the thick client application.

The Programming Language of the Application

Many tools are available that can detect the programming language used to build the Thick Client Application.

Network

This stage of Thick Client Penetration Testing involves tracking data exchange between the client and the server. The client and server can be on the same system or different systems connected through a network. Penetration tester needs to be well versed with the tools used for sniffing network packets. This testing method will provide information related to the network protocols, analyze network traffic, debug network clients, etc. Scrutinizing the traffic between the Thick Client and the server can reveal sensitive information such as API keys, REST API, HTTP/HTTPS endpoints, etc. You would need specialized Proxy tools to intercept the data exchanged between the client undergoing penetration testing and the server.

Proxy Aware Thick Client

In this case, the Application/Software is aware of how to establish a connection with the Proxy Server instead of a Real Server. When pentesting the Proxy-Aware Thick Client, you can use any Proxy tool to intercept the traffic.

Non-Proxy-Aware Thick Client

These clients lack proxy support and there is no way for such a Thick Client to configure proxy options on its own. When analyzing the Non-Proxy Aware Thick Client traffic, you need Burp Suite’s Invisible proxying that connects these types of Thick clients to a Proxy listener.

Client-Side Testing

File Analysis

In this approach the Pentester looks for the sensitive data stored on the local system, this data includes usernames, passwords, API keys, Connection Strings, etc. The improved functionality of client-side web-based applications has also led to an increase in the attack surface.

DLL Hijacking

Dynamic Link Library or DLL files consist of executable code used by other applications. Attackers replace the original DLL files with their own. When the Application runs, the attacker-placed DLL file containing the malicious code gets executed. Thick Client Pentesters employ Process Monitoring Tools that:

Reading Configuration Files

In this client-side Thick Application Pentesting method, testers deploy a variety of tools to locate the sensitive information in files and the system registry. In such scenarios, the Pentester may not have any prior knowledge & information about the Thick Client application undergoing testing. Using a decompiler to retrieve the source code of the Application undergoing pentesting. The tools available for testing the security of configuration files perform the following tasks:

Binary Analysis

In this Thick Client Penetration Testing method Pentesters search the source code of the thick client application for information that includes hardcoded credentials [username/passwords, keys, etc.], API Keys & Endpoints, and Hidden Functions & Comments. The pentesting tools used in Binary Analysis reverse-engineer Binary Files, Decompile, Disassemble & Debug thick client applications.

GUI Weaknesses

In this method, the thick client pentesters check for the GUI vulnerabilities associated with users with different privileges. The pentesting tools used in this method manipulate window objects, such as Text boxes, Buttons, Dropdowns, and Menu bars, in the form. The tools used in this type of Pentesting help you:

Memory Analysis

This method is used to detect the vulnerabilities in 2-tier architecture applications, as Thick-client applications transmit sensitive information to the Application’s memory. This information in the memory can be viewed with the help of specialized Memory Analysis Tools.

OWASP Top 10

About Author

Saeel Relekar is an Information Security Analyst at – Suma Soft. He is specializes in Thick Client Penetration Testing. Suma Soft is a market leader in Cyber security Services.

0 Comments