Approach to Thick Client Pentesting

icon Posted by: Hasan Sameer
icon July 25, 2022

In Brief

What is Thick Client Pentesting?

Thick client applications are full-fledged applications that can work with or without a network. They have hard drives and other components that help them function independently. Thick client pen testing is an aspect of cyber security practices that scans vulnerabilities within your thick client applications to fortify their security.

Here’s your guide to understand why you’d require thick client pen testing.

 

$1

is the selling price of a consumer account on the dark web

32%

of black hat hackers admit privileged accounts are their number one way to hack systems

3%

of folders are protected by Companies.

92%

of ATMs are vulnerable to hacker attacks.

Penetration Testing Approach for Thick Client Applications

Thick Client Pen Testing

 

The thick Client Pentesting approach needs the following comprehensive steps:

Knowing the application

The thick client applications have the resources to function without being connected to a network. However, it behaves as a client only when connected to a server. There might be some files and programs the thick client application needs to access but they are not stored on the system. Connecting to a server helps the application access those programs and files.

Some common examples of thick client applications are:

  • Chrome
  • Burp Suite
  • OWASP ZAP
  • Firefox
  • Zoom
  • Desktop games
  • Music Player
  • Text editor

Understanding the architecture of the application

There are two common types of architecture for thick client applications:

  1. Two-tier: These applications are based on just a simple client-server construct. No intermediate is present here between the client and server. The client and the server directly communicate with each other without any obstruction. Some examples of two-tier applications are Desktop Games, Music Player, and Text Editor.
  2. Three-tier: The three-tier applications are based on three major components. Here a mediator gets added in between the client and the server. The application server acts as the mediator in between. It helps in data transition from client to server and vice versa. Some examples of three-tier applications are Firefox, Chrome, Burp Suite, and Zap Proxy.

Information Gathering

Along with application architecture, there are other things to identify as well before testing the thick client application. You need to understand the full functionality of the application including the languages and frameworks it is based on. If there are multiple users, then you should navigate through all the UI elements. Every user has different levels of permissions and access. There are unique functionalities you need to discover. Some users might have access to the administrative actions while some may not.

Languages like Dot Net, Java, C/C++, and Microsoft Silverlight are typically used to build thick client applications. Having information about the language the application is built on is necessary as well. You can use some specific tools for this task such as:

  • CFF Explorer: A tool to make PE editing easier. It does that without any loss of sight upon the portable executable’s structure.
  • PEid: Helps in the detection of common packers, cryptors, and compilers for PE files.
  • Detect It Easy (DIE): Determines the file types for Windows, Linux, and macOS.
  • Strings: A tool for scanning files passing through it for UNICODE or ASCII strings of a default length.

Selecting the method for Thick Client Pentesting

For thick client penetration testing, there are two key methods:

  1. Black-Box Testing: It is the testing approach where the testers initiate the test without any prior knowledge about the app’s configurations. They carry out the testing of all functionalities of the application without any access to design, operation, and backend processes.
  2. Grey-Box Testing: In this testing methodology, testers are provided with some basic information on the working infrastructure of the application. Before approaching the test, they also know about data flow within the application and API documentation.

Carrying out the thick client penetration test

Penetration testing for thick client applications needs a quite comprehensive approach. It mainly includes the following processes:

  • Detailed analysis of tools and techniques deployed on client as well as the server-side
  • Identification of all the functions and characteristics of the application
  • Deciphering all the endpoints
  • Anatomy of all the security protocols and measures already present to guard the application
  • Scanning for vulnerabilities, loopholes, and security gaps in the application

Along with all this, there are 5 tracks of analysis in thick client pentesting:

  1. Automated Scan
  2. Configuration Analysis
  3. Network Communication Analysis
  4. Server Analysis
  5. Client Analysis

Before You Go!

  • Thick client pentesting is a lot trickier than conventional penetration testing. You need to consult an expert for the best result on it.
  • With RSK Cyber security, you’ll get complete comprehensiveness and flexibility in pen testing for thick client applications. It is certainly among the best cybersecurity companies in Dubai.

Tags

  • cybersecurity companies in dubai
  • thick client pentesting

Let's talk about your project

Banner Banner

Get Secured Today

Request an audit

Locate Us

Headquarter Anerley Court, Half Moon Lane, Hidenborough, Kent, TN11 9HU,
UK.
Contact: +44(0) 1732 833111
UAE Concord Tower, 6th Floor, Dubai Media City, 126732
Dubai, UAE.
Contact: +971 (0) 4 454 9844
USA 103 Carnegie Center Blvd. Ste. 300 Princeton, NJ 08540,
USA.
Contact: +1(732) 333 8853
India Plot No.14, 5th Floor, Sector-18, Gurugram -122015 Haryana,
India.
Contact: +91(0) 124 4201376
+44 789 707 2660

We'd Love to Hear From You