Thick clients are being referred to by many names: Fat, Rich, or Heavy Clients. It follows a client-server architecture and can be developed using different programming languages like JAVA, C/C++, and .NET among others.
Vulnerability Assessment and Penetration Testing (VAPT) for thick clients includes client-side analysis, server-side analysis, and network traffic analysis.
Thick client applications can operate without a network connection. To test these applications, you have to understand the entry points for user inputs, application architecture, technologies being used, any propriety protocols, programming languages, and frameworks being used in building it.
Types of Architecture in Thick Client Applications
Two-tier thick client application
The two-tier architecture is generally found in the legacy application, for example, the .NET application communicating with the database using its connection available through an open-source. In this type of architecture, we have the client and the server. The application gets installed on the end user’s system (client) and from there it communicates with the database residing on the server.
Three-tier thick client application
As described in the image below, we have the application server that acts as a mediator between the client and the database. This communication uses the HTTP/HTTPS protocol. A few examples of this type of application are Burp suite, zap proxy, and so on.
Thick Client Vs Thin Client
| Thick Client |
Thin Client |
| A thick client performs the bulk of processing between the client/server applications. |
A thin client application is web-based and almost all processing is being done at the server’s side. |
| App Data is stored locally within the client’s system, where the app is installed. |
Data is stored in servers. |
| The thick client application can work on a slow network connection. |
The network connection must be fast. |
| The deployment in a thick client is tough and expensive. |
The deployment is simpler in a thin client. |
| The data processing and validation are done on the client’s side. |
Data verification is being taken care of on the server’s side. |
| The thick client application uses computer resources and consumes local resources heavily. |
It consumes very less resources. |
Thick client methodology for conducting VAPT assessments
We will be focusing on the areas that are mentioned in the OWASP Windows Binary Executable Files Security Checks Project.
https://wiki.owasp.org/index.php/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project
Phases in thick Client application pen testing
Information Gathering
In this phase, we need to gather details about the application. This will help us understand the functionality and architecture of the application. Essentially, we must navigate through all the UI elements with different users, each with different roles and permissions.
We should collect the information given below about the application
- Application Architecture
- Platform Mapping
- Languages and Frameworks
The set of static tools that can be used in this phase to gather information about the application is
- CFF Explorer – https://ntcore.com/?page_id=388
- PEid – https://www.aldeid.com/wiki/PEiD
- Detect It Easy (DIE) – https://github.com/horsicq/Detect-It-Easy
- Strings – https://docs.microsoft.com/en-us/sysinternals/downloads/strings
Here are the decompiler tools for .NET
- NeonFuscatorDeobfuscator – https://github.com/NotPrab/.NET-Deobfuscator
- dnSpy – https://github.com/dnSpy/dnSpy
- ILSpy – https://github.com/icsharpcode/ILSpy
- de4dot – https://github.com/de4dot/de4dot
Client-Side attacks
Files Analysis
In this phase, we must look for the local files and the registry that the applications store. Essentially, our objective is to find sensitive information such as usernames, passwords, connection strings, and API keys.
Tools that can be helpful for file analysis are:
Binary Analysis
By the beginning of this phase, we must have gotten access to the source code of the thick client application under assessment.
Now, we must start probing and thoroughly looking at the whole code keeping in mind that we have to scout for sensitive information in the code, which might be hard-coded username or passwords, API details, API keys, endpoints, comments, and hidden functions.
Below are the tools used in this phase:
- Frida – https://github.com/frida/frida-python
- UPX Decompression – https://upx.github.io/
- PE Explorer – http://www.heaventools.com/overview.htm
- x64dbg – https://x64dbg.com/
- Luyten – https://github.com/deathmarine/Luyten
- JD-GUI – https://github.com/java-decompiler/jd-gui
- Bytecode Viewer – https://github.com/Konloch/bytecode-viewer
- ILSpy – https://github.com/icsharpcode/ILSpy
Memory Analysis
It is vital to perform memory analysis during its dynamic state. We must probe and look at the data that is getting stored in the application’s memory. If the application is developed in a two-tier architecture, then it transfers sensitive information like database connection strings and user credentials to the memory.
This is a design flaw in all the thick client applications that are developed using the two-tier architecture and it is the default behavior.
Here are the tools that are used for the assessment in this phase:
- Winhex (for windows it shows real-time registry, file system, and processes) – https://www.x-ways.net/winhex/index-m.html
- Volatility (framework used for the extraction of digital artifacts from volatile memory (RAM)) – https://github.com/volatilityfoundation/volatility
- Process Explorer – https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
- Strings- https://docs.microsoft.com/en-us/sysinternals/downloads/strings
Now, to intercept the traffic between the thick client application and the server or database, we should use any proxy tool like burp suite. The proxy tool acts as middleware and helps us to intercept the traffic and change/update the data in transit.
Before we start intercepting the thick client application traffic, we should be aware of the difference between the following:
Non-proxy-aware
In this case, the thick client application neither has any settings to configure proxy nor has any support to proxy. For such kinds of applications, we need a different approach to set up a proxy.
We can use the burp suite and configure a proxy listener and then intercept the traffic.
Proxy aware
Here, the application itself has proxy setting options that can be used to set up the proxy and intercept the traffic using a proxy tool like burp suite.
Examples of the proxy-aware thick client are ─ Firefox, Google Chrome, and many more.
Network Side Attacks
- Installation Traffic
- Run Time Traffic
Installation Traffic and Run Time Traffic
Analyzing the network traffic between the thick client application and the server might reveal sensitive and unencrypted data like credentials, API keys being transmitted in clear-text, API endpoints, web services, proprietary protocols and file blocks sent over the wire.
Below is the set of network sniffers tools that can be used to analyze the network traffic:
- Wireshark
- SmartSniff
- tcpdump
- Microsoft Network Monitor 3.4
Server-Side Attacks
In this phase, all the OWASP TOP10 vulnerabilities should be checked.
OWASP Top 10:2021
Conclusion
Most of the low-hanging fruits can be addressed if an organization follows secure SDLC practices, integrating security tools in the SDLC life cycle. This way the vulnerabilities are remediated at an early stage of development. Always follow the security by a design approach that ensures your project is secure from the start to the finish.
How eInfochips can help
At eInfochips, we have a dedicated team of security professionals, who have vast experience in various domains of cybersecurity. We have already helped multiple clients in transforming their security posture and reducing their risk. Our experts can help you identify your security loopholes and suggest the best approach to fix them efficiently. Get in touch with us for your security needs.
