HOME
DISCLOSURE
NEWS
SECURELAYER7 SERVICES
COMPANY WEBSITE
SECURELAYER7 LAB
Introduction to Thick Client Penetration
Testing – Part 1
on Posted on July 29, 2017. by Samrat Das
Why thick client penetration testing?
Thick client applications are not new having been in existence for a long time, however if
given to perform a pentest on thick clients, it is not as simple as a Web Application
Pentest.
Thick clients are majorly used across organizations for their internal operations.
In this series of articles, we will learn various tools and techniques used to perform thick
client application penetration testing.
A step by step breakdown being deployed, we will discuss about starting with the very
basics to the advanced test cases.
Introduction
Referenced under multiple names, such as: Fat client/Heavy client/Rich client/Thick
client, such applications follow a client–server architecture.
For an easy to understand approach, thick clients are applications which are deployed
locally on our systems. Such as skype/ outlook.
Thick clients can be developed using multiple languages such as: .NET, C /C++, Java
Architectural view of Thick Client applications:
2-tier applications
A typical setup where a client and a database interacts with each other. Here the bulk of
processing and operations are performed on the client side, while the database
operations and queries once executed makes the data processed and stored on the
database.
2 Tier Architecture
Why is this insecure?
Deploying such a setup opens up multiple vulnerabilities which may lead to compromise
of database credentials along with plethora of multiple exploits within the application.
3-tier applications:
This is the alternate and well-structured 3-tier architecture. Here the client server has
three components de ned:
The bulk of processing is done at the server side while the queries are performed at
client side with requests. This makes security stringent at than a 2-tier application,
however not fully safe.
3 Tier Architecture
What are the security testing methods feasible for Thick Client?
We can break down the di erent types of pen testing a thick client into:
Dynamic Testing ( fuzzing, tra c interception, injections)
System Testing ( checking for logs, data les, registry keys, process threads)
Static Testing ( reverse engineering, binary analysis )
Dynamic testing generally follows data ow from the client side to server side.
This gives rise to the following test cases:
1. Dynamic test cases:
Input Validation (Fuzzing user input elds)
Here our main goal is to test all the input parameters for di erent types of attacks which
includes:
SQL injection
Command injection
Malicious input acceptance.
SQL injection is one of the prime attacks you can carry onto a thick client’s database. Do
note performing thick client sql injection needs patience and is a time consuming task.
You need to iterate multiple queries with a mix and match by observing response to
each of them.
Some good links for a collection of sqli payloads:
1. https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/sqlinjection/payloads-sql-blind
2. http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheatsheet
You can crawl the net for multiple payloads to nd the one which is appropriate for the
application you are testing.
File Upload
Here our goal is to attempt to upload malicious les which can be injected into the
application input request which can lead us to shell upload/ malicious code execution.
Here you can simply check for all the browse buttons and check the le upload logic.
Bu er Over ow
Here our goal is to examine C / C++ programmed thick clients majorly to test the
memory functions deployed which will allow us to check how the bu er over ow
vulnerabilities and memory violations.
Secure tra
c analysis (protocols)
The testing for this case involves checking whether encryption is applied for sensitive
data on the wire or not (example: clear text data transmission is a vulnerability)
Business logic validations
This has multiple sub test cases which can involve privilege escalation, price tampering,
authorization bypass etc.
Error handling/ Info Leakage
Tester tries in this case to extract verbose error messages which may give information
about underlying framework, application code and log details.
Session management
Test cases on session validity/ expiration/ xation comes under this method.
Forced URL access via browser
Many a times, con guration URLs can be directly connected via the web browser
Log tampering
Most of the applications we test does not validate the timestamp directly accepting the
local system time from user, performing malicious transactions via changing the system
time leads to inconsistency of the application logs.
2. System Test cases:
Ex ltration of Sensitive data from memory
Many times applications store username passwords. Such information is lethal for
compromising the application. There are multiple tools which help us to check the same
(A free tool for the same is Winhex)
DLL High-jacking
Test case for this involves: if the application validates the DLLs used by the application.
If by replacing the actual DLLs with malicious le with the same name, this can lead to
critical ndings in the application.
3. Static Testing:
Analysing Con g les
Many a times con guration les of the application reveals URL, Server credentials/
Cryptographic keys/ Hardcoded passwords. Even checking of certain parameters can be
easily disabled with a value =yes with = no!
Reverse Engineering
Using reversing tools, executable le/ jar les can be decompiled which can be modi ed
and repackaged.
Here is a list of tools which are commonly used for performing thick client pentesting:
Interception proxies:
Burp Suite
Fiddler
Echo Mirage
Charles
Mallory
JavaSnoop
Tra
c Analysis:
TCPDump
Wireshark
Static Analysis:
System Internals ( Process Monitor, Regedit, Regshot, AccessEnum)
CFF Explorer
Decompilers:
Java Byte Code Editor
JD GUI
Ollydbg
Packed executable checking tools:
PE Explorer
PEid
UPX Decompression
.Net Re ector
IL Spy
Memory Analysis:
Winhex
Volatility
Tsearch ( nd and replace strings in memory)
Userdump
Exploitation:
Metasploit ( used for side loading/ DLL and Exe injection)
Key points:
That’s all readers for now. This article gave you a brief idea of how to go about testing an
application.
In upcoming articles we will cover the following yet not limited to topics:
1. Intercepting thick client applications and tampering request/ response
2. Reverse engineering jar/ exe les
3. DLL Hijacking
4. Memory forensics
5. Deserialization of tra c analysis of java thick clients
Posted in SecureLayer7 LabTagged BurpSuite, Introduction to Thick Client Penetration Testing,
OWASP Thick Client Penetration Testing, Thick Client Penetration Testing, Why thick client
penetration testing
Read the Previous Post:
Read the Next Post:
How are work, life and
things at SecureLayer7
2 Comments
 Recommend
Detailed Tra c Analysis
for Thick Client
Penetration Testing –
Part 2
1

Information Security - SecureLayer7
Login
Sort by Best
⤤ Share
Join the discussion…
LOG IN WITH
OR SIGN UP WITH DISQUS ?
Name
test • 9 months ago
Hi Samrat, Can you list the tools you use for thick client testing
△ ▽ • Reply • Share ›
Samrat Das > test • 9 months ago
Hi
Its updated !
△ ▽ • Reply • Share ›
ALSO ON INFORMATION SECURITY - SECURELAYER7
OWASP Top 10 Details About WebSocket
Vulnerabilities and …
Web Services and API Penetration Testing Part
#1
1 comment • a year ago
1 comment • 4 months ago
piero — Great POST. ;) Thank you.
Siva Krishna — 1. Please explain how test
webservices with WS security enabled. 2. How to
test webservices …
OWASP TOP 10: Security Misconfiguration #5
– CORS …
Everything about the CSV Excel Macro
Injection
2 comments • a year ago
16 comments • 2 years ago
SaurabhB — @Peter, You are correct. I have
Taha — Nice explanation brother! Keep it up.
updated it. Thanks for letting us know that :)
✉
Blog Links
Subscribe
d Add Disqus to your site
🔒
People Talking on
Privacy
Home
Disclosure
News
SecureLayer7 Services
Company Website
SecureLayer7 Lab
Web Services and API Penetration Testing
Part #2
Tabnabbing – An art of phishing
Web Services and API Penetration Testing
Part #1
Intercepting thick clients sans domain:
Thick Client Penetration Testing – Part 5
Dark Web: Accessing the hidden content
Part #2
Copyright © 2016 SecureLayer7, LLC. All rights reserved.