Thick Client Security Testing - Short Tutorial
A thick client refers desktop application that requires the installation to use them. Thick client applications can be developed using Java, .Net, C/C++, etc.
A thick client may follow two-tier architecture or three-tier architecture. In two-tier architecture, the thick clients directly access the back-end database via the internet. In the three-tier architecture, the thick client accesses the back-end database via the application server. Sometimes thick client applications use proprietary protocols for communication. Examples of the thick clients are video editing software, video conference software, MS Office, MS Outlook, etc.
In this article, we will see the procedure to be followed, vulnerabilities, and tools used for accessing the security of thick client applications.
Procedure to be followed
(1) Information Gathering
Gather as much information as you can related to thick client applications such as
- Application architecture (whether it is two-tier or three-tier)
- Programming language/frameworks used for development
- Under authentication in the application
- Under authorization in the application
- Understand the business logic of an application
- Under network communication used in application
(2) Following Test Cases need to be performed (but not limited to)
- Test the application for sensitive information
- Test Injection vulnerabilities
- Test Authorization issues
- Test Errors Messages on failures
- Test for disabled functionalities
- Test for Encryption keys
- Test log files for secrets
- Check code obfuscation
- Test for read/write access of Registry
Vulnerabilities in Thick Client Application
- Injection - SQL injection, command injection, LDAP injection
- Buffer Overflow
- Insecure Communication (TLS/SSL vulnerabilities)
- Business Logic Vulnerabilities (e.g. forgot password)
- Improper Error Handling
- Sensitive Information Disclosure - Hardcoded Encryption Data, Hardcoded Encrypted Password
- No Code Obfuscation
- Broken authentication and session management
- Weak storage of passwords on the server side
- Insufficient logging and monitoring
- Security Misconfiguration
- Configuration files in cleartext
Tools used:
- Wireshark - network analysis tool
- IDA Pro - static analysis tool
- OllyDBG - static analysis tool
- CFF Explorer - PE Editor
- Sysinternals Suite - bundle of Sysinternals utilities
- Detect It Easy - to determine file type
- PEid - Identify different signatures of PE files
- Ghidra static analysis tool
- Winhex - memory analysis tool
- Metasploit - exploitation framework
- BurpSuite Pro - Intercept proxy tool
- Nmap - identify open ports
- sslscan - identify ssl vulnerabilities
- Nessus - identify outdated components of a thick client application
- Procmon - to monitor processes
- Burpsuite - to test web application security
Conclusion
This is just an introductory article to initiate the security assessment of thick client applications. Although this blog provides guidance for methodology and tools used for thick client security assessment.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.