Thick Clients and Desktop Applications Penetration Testing

A Thick Client application refers to an application that runs on a user’s local machine where the client handles most of the business logic.

From a functionality big picture, this application type handles most of the validation, has access to various components, and works and processes temporary data that might contain sensitive data.

Thick clients are widely developed on:

  • Two-tier architecture - the client application communicates directly with a database through a database connection driver.
  • Three-tier architecture - the client application uses HTTP protocol to communicate with an application server and will then query a database to pull/pop data.

Binary Brotherhood tests the Thick Clients and other desktop applications executing manual attack vector scenarios, including:

  • Client-Side attacks vectors(Binary Analysis, Local storage, and memory testing, etc.)
  • Traffic interception and manipulation
  • Communication protocol fuzzing
  • Server-side attack vectors (probing for Injection Attacks, Sensitive Data Disclosure, Denial of Service (DoS), and other similar case details as part of OWASP Ten Most Critical Web Application Security Risks framework).