Approach to Thick Client Pentesting

Posted by: Hasan Sameer

July 25, 2022

In Brief

Thick client applications have been there for a long time now. Their hybrid infrastructure makes them more vulnerable to cyber-attacks.
Having different architectures and both client and server-side issues expands the threat landscape substantially.
Thick Client Pentesting should have a different approach than the regular pen testing methods. Because the requirements here are different than the traditional applications.
Furthermore, you need to employ the security protocols differently as well. Thick client applications are susceptible to a wide variety of threat vectors due to being exposed on both client and server sides.

What is Thick Client Pentesting?

Thick client applications are full-fledged applications that can work with or without a network. They have hard drives and other components that help them function independently. Thick client pen testing is an aspect of cyber security practices that scans vulnerabilities within your thick client applications to fortify their security.

Here’s your guide to understand why you’d require thick client pen testing.

$1

is the selling price of a consumer account on the dark web

32%

of black hat hackers admit privileged accounts are their number one way to hack systems

3%

of folders are protected by Companies.

92%

of ATMs are vulnerable to hacker attacks.

Penetration Testing Approach for Thick Client Applications

Thick Client Pen Testing

The thick Client Pentesting approach needs the following comprehensive steps:

Knowing the application

The thick client applications have the resources to function without being connected to a network. However, it behaves as a client only when connected to a server. There might be some files and programs the thick client application needs to access but they are not stored on the system. Connecting to a server helps the application access those programs and files.

Some common examples of thick client applications are:

Chrome
Burp Suite
OWASP ZAP
Firefox
Zoom
Desktop games
Music Player
Text editor

Understanding the architecture of the application

There are two common types of architecture for thick client applications:

Two-tier: These applications are based on just a simple client-server construct. No intermediate is present here between the client and server. The client and the server directly communicate with each other without any obstruction. Some examples of two-tier applications are Desktop Games, Music Player, and Text Editor.
Three-tier: The three-tier applications are based on three major components. Here a mediator gets added in between the client and the server. The application server acts as the mediator in between. It helps in data transition from client to server and vice versa. Some examples of three-tier applications are Firefox, Chrome, Burp Suite, and Zap Proxy.

Information Gathering

Along with application architecture, there are other things to identify as well before testing the thick client application. You need to understand the full functionality of the application including the languages and frameworks it is based on. If there are multiple users, then you should navigate through all the UI elements. Every user has different levels of permissions and access. There are unique functionalities you need to discover. Some users might have access to the administrative actions while some may not.

Languages like Dot Net, Java, C/C++, and Microsoft Silverlight are typically used to build thick client applications. Having information about the language the application is built on is necessary as well. You can use some specific tools for this task such as:

CFF Explorer: A tool to make PE editing easier. It does that without any loss of sight upon the portable executable’s structure.
PEid: Helps in the detection of common packers, cryptors, and compilers for PE files.
Detect It Easy (DIE): Determines the file types for Windows, Linux, and macOS.
Strings: A tool for scanning files passing through it for UNICODE or ASCII strings of a default length.

Selecting the method for Thick Client Pentesting

For thick client penetration testing, there are two key methods:

Black-Box Testing: It is the testing approach where the testers initiate the test without any prior knowledge about the app’s configurations. They carry out the testing of all functionalities of the application without any access to design, operation, and backend processes.
Grey-Box Testing: In this testing methodology, testers are provided with some basic information on the working infrastructure of the application. Before approaching the test, they also know about data flow within the application and API documentation.

Carrying out the thick client penetration test

Penetration testing for thick client applications needs a quite comprehensive approach. It mainly includes the following processes:

Detailed analysis of tools and techniques deployed on client as well as the server-side
Identification of all the functions and characteristics of the application
Deciphering all the endpoints
Anatomy of all the security protocols and measures already present to guard the application
Scanning for vulnerabilities, loopholes, and security gaps in the application

Along with all this, there are 5 tracks of analysis in thick client pentesting:

Automated Scan
Configuration Analysis
Network Communication Analysis
Server Analysis
Client Analysis

Before You Go!

Thick client pentesting is a lot trickier than conventional penetration testing. You need to consult an expert for the best result on it.
With RSK Cyber security, you’ll get complete comprehensiveness and flexibility in pen testing for thick client applications. It is certainly among the best cybersecurity companies in Dubai.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Approach to Thick Client Pentesting

In Brief

What is Thick Client Pentesting?

$1

32%

3%

92%

Penetration Testing Approach for Thick Client Applications

Knowing the application

Understanding the architecture of the application

Information Gathering

Selecting the method for Thick Client Pentesting

Carrying out the thick client penetration test

Before You Go!

Tags

Let's talk about your project

Get Secured Today

Locate Us

Products

Solutions

What We do

Know More

Choose Expert guidance to patch vulnerabilities.

Let's talk security today.

Choose hacker style methodologies over fear.

Let's talk security today.

We'd Love to Hear From You

Approach to Thick Client Pentesting

In Brief

What is Thick Client Pentesting?

$1

32%

3%

92%

Penetration Testing Approach for Thick Client Applications

Knowing the application

Understanding the architecture of the application

Information Gathering

Selecting the method for Thick Client Pentesting

Carrying out the thick client penetration test

Before You Go!

Tags

Let's talk about your project

Get Secured Today

Locate Us

Products

Solutions

What We do

Know More

Follow Us

We adhere your privacy!

Choose Expert guidance to patch vulnerabilities. Let's talk security today.

Choose Expert guidance to patch vulnerabilities. Let's talk security today.

Choose hacker style methodologies over fear. Let's talk security today.

We'd Love to Hear From You

Choose Expert guidance to patch vulnerabilities.
Let's talk security today.

Choose Expert guidance to patch vulnerabilities.

Let's talk security today.

Choose hacker style methodologies over fear.

Let's talk security today.