Thick Client Application Security Assessment

Thick client applications have been in existence for many years and can be found across various sectors and companies. Thick client applications run on the user’s computer and the application’s business logic that includes the validations, and view components. The temporary/permanent data is stored at the client’s side i.e. on the user’s computer, where the application is installed. Read on the blog to know Types of Architecture in Thick Client Applications.

Reading Time: 5 minutes
Read the article   [responsivevoice_button buttontext='Hear the article' voice='US English Female']

Thick clients are being referred to by many names: Fat, Rich, or Heavy Clients. It follows a client-server architecture and can be developed using different programming languages like JAVA, C/C++, and .NET among others.

Vulnerability Assessment and Penetration Testing (VAPT) for thick clients includes client-side analysis, server-side analysis, and network traffic analysis.

Thick client applications can operate without a network connection. To test these applications, you have to understand the entry points for user inputs, application architecture, technologies being used, any propriety protocols, programming languages, and frameworks being used in building it.

Types of Architecture in Thick Client Applications

 Two-tier thick client application

The two-tier architecture is generally found in the legacy application, for example,  the .NET application communicating with the database using its connection available through an open-source. In this type of architecture, we have the client and the server. The application gets installed on the end user’s system (client) and from there it communicates with the database residing on the server.

Two-tier thick client application

Three-tier thick client application

As described in the image below, we have the application server that acts as a mediator between the client and the database. This communication uses the HTTP/HTTPS protocol. A few examples of this type of application are Burp suite, zap proxy, and so on.

Three-tier thick client application

Thick Client Vs Thin Client

Thick Client Thin Client
A thick client performs the bulk of processing between the client/server applications. A thin client application is web-based and almost all processing is being done at the server’s side.
App Data is stored locally within the client’s system, where the app is installed. Data is stored in servers.
The thick client application can work on a slow network connection. The network connection must be fast.
The deployment in a thick client is tough and expensive. The deployment is simpler in a thin client.
The data processing and validation are done on the client’s side. Data verification is being taken care of on the server’s side.
The thick client application uses computer resources and consumes local resources heavily. It consumes very less resources.

Thick client methodology for conducting VAPT assessments

We will be focusing on the areas that are mentioned in the OWASP Windows Binary Executable Files Security Checks Project.

https://wiki.owasp.org/index.php/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project

Thick client methodology for conducting VAPT assessments

Phases in thick Client application pen testing

Information Gathering

In this phase, we need to gather details about the application. This will help us understand the functionality and architecture of the application. Essentially, we must navigate through all the UI elements with different users, each with different roles and permissions.

We should collect the information given below about the application

  • Application Architecture
  • Platform Mapping
  • Languages and Frameworks

The set of static tools that can be used in this phase to gather information about the application is

  • CFF Explorer – https://ntcore.com/?page_id=388
  • PEid – https://www.aldeid.com/wiki/PEiD
  • Detect It Easy (DIE) – https://github.com/horsicq/Detect-It-Easy
  • Strings – https://docs.microsoft.com/en-us/sysinternals/downloads/strings

Here are the decompiler tools for .NET

  • NeonFuscatorDeobfuscator – https://github.com/NotPrab/.NET-Deobfuscator
  • dnSpy – https://github.com/dnSpy/dnSpy
  • ILSpy – https://github.com/icsharpcode/ILSpy
  • de4dot – https://github.com/de4dot/de4dot

Client-Side attacks

Files Analysis

In this phase, we must look for the local files and the registry that the applications store. Essentially, our objective is to find sensitive information such as usernames, passwords, connection strings, and API keys.

Tools that can be helpful for file analysis are:

Binary Analysis

By the beginning of this phase, we must have gotten access to the source code of the thick client application under assessment.

Now, we must start probing and thoroughly looking at the whole code keeping in mind that we have to scout for sensitive information in the code, which might be hard-coded username or passwords, API details, API keys, endpoints, comments, and hidden functions.

Below are the tools used in this phase:

  • Frida – https://github.com/frida/frida-python
  • UPX Decompression – https://upx.github.io/
  • PE Explorer – http://www.heaventools.com/overview.htm
  • x64dbg – https://x64dbg.com/
  • Luyten – https://github.com/deathmarine/Luyten
  • JD-GUI – https://github.com/java-decompiler/jd-gui
  • Bytecode Viewer – https://github.com/Konloch/bytecode-viewer
  • ILSpy – https://github.com/icsharpcode/ILSpy

Memory Analysis

It is vital to perform memory analysis during its dynamic state. We must probe and look at the data that is getting stored in the application’s memory. If the application is developed in a two-tier architecture, then it transfers sensitive information like database connection strings and user credentials to the memory.

This is a design flaw in all the thick client applications that are developed using the two-tier architecture and it is the default behavior.

Here are the tools that are used for the assessment in this phase:

  • Winhex (for windows it shows real-time registry, file system, and processes) – https://www.x-ways.net/winhex/index-m.html
  • Volatility (framework used for the extraction of digital artifacts from volatile memory (RAM)) – https://github.com/volatilityfoundation/volatility
  • Process Explorer – https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
  • Strings- https://docs.microsoft.com/en-us/sysinternals/downloads/strings

Now, to intercept the traffic between the thick client application and the server or database, we should use any proxy tool like burp suite. The proxy tool acts as middleware and helps us to intercept the traffic and change/update the data in transit.

Before we start intercepting the thick client application traffic, we should be aware of the difference between the following:

Non-proxy-aware

In this case, the thick client application neither has any settings to configure proxy nor has any support to proxy. For such kinds of applications, we need a different approach to set up a proxy.

We can use the burp suite and configure a proxy listener and then intercept the traffic.

Proxy aware

Here, the application itself has proxy setting options that can be used to set up the proxy and intercept the traffic using a proxy tool like burp suite.

Examples of the proxy-aware thick client are ─ Firefox, Google Chrome, and many more.

Network Side Attacks

  • Installation Traffic
  • Run Time Traffic

Installation Traffic and Run Time Traffic

Analyzing the network traffic between the thick client application and the server might reveal sensitive and unencrypted data like credentials, API keys being transmitted in clear-text, API endpoints, web services, proprietary protocols  and file blocks sent over the wire.

Below is the set of network sniffers tools that can be used to analyze the network traffic:

  • Wireshark
  • SmartSniff
  • tcpdump
  • Microsoft Network Monitor 3.4

Server-Side Attacks

In this phase, all the OWASP TOP10 vulnerabilities should be checked.

OWASP Top 10:2021

Conclusion   

Most of the low-hanging fruits can be addressed if an organization follows secure SDLC practices, integrating security tools in the SDLC life cycle. This way the vulnerabilities are remediated at an early stage of development. Always follow the security by a design approach that ensures your project is secure from the start to the finish.

How eInfochips can help

At eInfochips, we have a dedicated team of security professionals, who have vast experience in various domains of cybersecurity. We have already helped multiple clients in transforming their security posture and reducing their risk. Our experts can help you identify your security loopholes and suggest the best approach to fix them efficiently. Get in touch with us for your security needs.

ABOUT THE AUTHOR

Rachit Dogra

Rachit works as a senior engineer at eInfochips in cybersecurity domain. He has about 6 years of experience as a Cyber Security Professional/Offensive Security Researcher. He has expertise into web, mobile, thick client application vulnerability assessment, penetration testing, triaging the vulnerabilities, attack surface management, DevSecOps, Hardware/IOT/Automotive security , Vulnerability Management, threat modelling, governance, risk and Compliance.

RELATED POSTS

Developing Highly Scalable, Secure, Cost Effective Cloud-Based VMS Using Micro-Services

Top 3 Emerging trends in Video Analytics – Artificial Intelligence, Tracking, Micro Expressions

Benchmarking of Surveillance & Security Products – Key to Market Leadership

©2023 eInfochips (an Arrow company), all rights reserved. Terms and Conditions | Know more about eInfochcips's Privacy Policy and Cookie Policy

akun slot gacor slotgacormax.win akun jp daftar slot online QQLINE88 3mbola catur777