Thick Client Security Testing - Short Tutorial
A thick client refers desktop application that requires the installation to use them. Thick client applications can be developed using Java, .Net, C/C++, etc.
A thick client may follow two-tier architecture or three-tier architecture. In two-tier architecture, the thick clients directly access the back-end database via the internet. In the three-tier architecture, the thick client access the back-end database via the application server. Sometimes thick client applications using proprietary protocols for communication. Examples of the thick clients are video editing software, video conference software, MS office, MS outlook, etc.
In this article, we will see the procedure to be followed, vulnerabilities and tools used for accessing the security of thick client applications.
Procedure to be followed
(1) Information Gathering
Gather as much information as you can related to thick client application such as
- Application architecture (whether it is two tier or three tier)
- Programming language/frameworks used for development
- Under authentication in application
- Under authorization in application
- Understand business logic of application
- Under network communication used in application
(2) Following Test Cases need to be performed (but not limited to)
- Test the application for sensitive information
- Test Injection vulnerabilities
- Test Authorization issues
- Test Errors Messages on failures
- Test for disabled functionalities
- Test for Encryption keys
- Test log files for secrets
- Check code obfuscation
- Test for read/write access of Registry
Vulnerabilities in Thick Client Application
- Injection - SQL injection, command injection, LDAP injection
- Buffer Overflow
- Insecure Communication (TLS/SSL vulnerabilities)
- Business Logic Vulnerabilities (e.g. forgot password)
- Improper Error Handling
- Sensitive Information Disclosure - Hardcoded Encryption Data, Hardcoded Encrypted Password
- No Code Obfuscation
- Broken authentication and session management
- Weak storage of password at server side
- Insufficient logging and monitoring
- Security Misconfiguration
- Configuration files in cleartext
Tools used:
- Wireshark - network analysis tool
- IDA Pro - static analysis tool
- OllyDBG - static analysis tool
- CFF Explorer - PE Editor
- Sysinternals Suite - bundle of sysinternals utilities
- Detect It Easy - to determine file type
- PEid - Identify different signatures of PE files
- Ghidra - static analysis tool
- Winhex - memory analysis tool
- Metasploit - exploitation framework
- BurpSuite Pro - Intercept proxy tool
- Nmap - identify open ports
- sslscan - identify ssl vulnerabilities
- Nessus - identify outdated components of a thick client application
- Procmon - to monitor processes
Conclusion
This is just a introductory article to initiate security assessment of thick client applications. More tutorials available on google to kickstart security testing.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.