1st Floor, Plot no: 76-D, Phase IV, Udyog Vihar, Sector 18, Gurugram
0124-4600485
 
Try Now
Application securityPenetration testing0

Thick client penetration testing

Introduction

Any program that is installed locally on a user’s desktop/laptop is considered a thick client application. These programs are feature-rich and can run without being connected to the Internet. Examples of thick client programs include web browsers, computer games, and music players.

The architecture of Thick client applications:

There are mainly two types of architectures used for thick clients:

Two-Tier Architecture:

 A thick client application established communication from client to server, the application should be installed on the client side, and in a process of use, they have to get connected with the database server.

Three-Tier Architecture:  

In the Three-Tier architecture, the client established communication with an application server, and that application established communication with the database server, The most common way to communicate in this kind of application may be the HTTP/HTTPS.

Thick client penetration testing is used to identify vulnerabilities, threats, and risks on both local and client-server sides. As we see the adoption of Hybrid Infrastructure architecture, thick clients can become a superior target for attackers.

  • Sometimes attack surfaces require different approaches from penetration testing.
  • Thick client penetration testing requires specialized tools (Echo Mirage, Sysinternals Suite, Mallory, Nmap, etc.) and techniques.
  • Thick client penetration testing can be developed by various programming languages including .Net, Java, C/C++, etc.
  • Thick clients are typically easier to test than web apps since they lack significant business logic and processing capabilities.
How penetration testing is done:

Thick client penetration testing is divided into four main parts,

  1. Information Gathering:
    It is critical to comprehend the whole functioning of the thick client application. Furthermore, it is critical to go through all UI elements with numerous users. Each user may have distinct rights and functions that must be discovered. Thus during this phase collect as much information as you can about the application, its behavior, architecture, etc. A few thick client penetration testing tools that can be helpful in this phase are CFF Explorer, PEid, Detect It Easy (DIE), Dnspy, Ilspy, etc.
  2. Client-side attacks:
    Thick client applications also have a local data store and in a few cases some sensitive data might also be readily available, thus it becomes essential to assess the client application. Sensitive information like Usernames, Passwords, keys, etc. may be stored in the local files or registries. Thus during this phase, it is identified that no sensitive information is stored on the client, we can use Process Monitor, Regshot, Frida, Process explorer, etc as tools.
  3. Network side attack:
    Thick client applications also have a local data store and in a few cases some sensitive data might also be readily available, thus it becomes essential to assess the client application. Sensitive information like Usernames, Passwords, keys, etc. may be stored in the local files or registries. Thus during this phase, it is identified that no sensitive information is stored on the client, we can use Process Monitor, Regshot, Frida, Process explorer, etc as tools.
  4. Server-side attacks:
    Server-side attacks seek to compromise and breach the data and applications that are present on a server, during this phase the attacks exploit vulnerabilities in installed services. These attacks are launched directly from an attacker to a listening service and upon identifying the vulnerabilities the attacker might try to compromise the server. Netsparker, Metasploit, SQLmap, Acunetixc, etc can be used as tools during this phase.
How to execute thick client penetration testing effectively:

These applications are more complex than web & mobile applications, so they require specific approaches:

  • Find out the technologies used behind the client and server-side applications.
  • Figure out the behavior and the functionalities of the application.
  • Try to Identify the different entry points.
  • Try to understand the core security used in the application and try to identify the vulnerabilities.
Conclusion:

A thick client application can be tested for vulnerabilities using several tools and methodologies outlined in this blog. A contrast between thick client applications and web apps can be made with the fact that new technologies have led to new testing methodologies at the same time, and no fundamental changes have been made to thick client testing tools.

As part of ASPIA’s thick client application testing approach, we first analyze the full functionality of the application. The UI elements are navigated with multiple users as each user might have different permissions and unique capabilities. By combining automated tools with manual testing, hybrid testing ensures that the application is thoroughly evaluated and the number of false positives is reduced. Contact ASPIA Infotech today to avail of thick client penetration testing services.

Share

Leave a Reply

previous
SOC for MSP : a new transition towards SOCaaS
next
API penetration testing

Ready to start the conversation about your enterprise security?

We can help!

Connect Now

See Reviews on

ASPIA review
ASPIA google Review

Solutions

Services

Contact ASPIA

0124-4600485
contact@aspiainfotech.com
1st Floor, Plot no: 76-D, Phase IV, Udyog Vihar, Sector 18, Gurugram, Haryana 122001

Find Us @

We deliver streamlined, innovative services and solutions to assess and address security across your enterprise.

©ASPIA InfoTech. All rights reserved