Thick Client Application Penetration Test: What Is And How To Do

A thick client, also known as a fat client, is a client application that can provide rich functionality, independent of the server in a network. Thick clients can perform the majority of their functions without a live connection to the server. While they do require a periodic connection to a network on the central server, they can work offline and may have resources that are stored locally.

A thin client on the other hand, is a client app or computer that cannot function without a connection to the server. Thin clients do as little processing as possible on their own and heavily depend on accessing the server every time to process or validate input data.   Essentially, the thickness of a client refers to the amount of processing that is done by it and the data held on the client device versus the servers with which it communicates. As the data and processing increases, so does the thickness of the client app.

Take for instance, a gaming app that you have on your phone. Most of its functionalities are available even when you’re offline. However, to play socially and communicate with other people while playing, you may need to connect to a server. This is an example of a thick client application. Other examples of thick client apps include Google Talk, Yahoo Messenger, and Microsoft Outlook.

Thick clients can exist in two-tier or three-tier network architecture types. The client/server model of networks is also referred to as the tiered model because it is designed with multiple tiers or levels.

In a three-tier architecture, the client app communicates with the server via an application server. The three tiers that make up this model are the presentation tier, the application tier and the data tier. The end user interacts with the application using the presentation tier; the application tier processes the data collected in the presentation tier; the data tier is where the processed information is stored and managed.

The thick client application communicates directly with the server in a two-tier architecture. This model consists of the presentation tier and the data tier. The end user has direct access to the data tier, which makes it a less secure network architecture compared to the three-tier model.

Thick and thin clients work in different ways and each have their own benefits and drawbacks. One of the major benefits of using thin clients over thick clients is the security they provide.

Thin clients don’t have locally stored resources or removable media ports and that reduces their risk of malware infections and data losses.
Some of the major security flaws associated with thick clients include:
 

• Injection attacks;
• Variable and response manipulation;
• Improper error handling;
• Insecure storage;
• Sensitive data disclosure;
• Denial of Service (DoS);
• Improper access control;
• Improper session management;
• Reverse engineering.

Browser-related security flaws don’t apply to thick client apps as they don’t depend on web browsers to function.

Thick Client App Pen Tests are designed to detect and verify security vulnerabilities that are present in a thick client application. This type of penetration testing focuses on three key areas - the thick client software application, network traffic, and the backend interface. It combines both automated and manual testing to review the client-side, network, and server-side controls and validate their effectiveness. 

Collecting Information

Mapping the Target

Discovering Vulnerabilities

Exploitation

Reporting and Analysis

Client-side:

• Analysis to identify sensitive content;
• File analysis;
• Binary analysis (decompilation / reverse engineering);
• Memory analysis;
• DLL hijacking vulnerability;
• Insecure client-side GUI controls;
• Insecure file permissions.

  Network:

• Man-in-the-middle attacks;
• Transport encryption review;
• Replay attacks.

  API / Web Services:

• XML Injection;
• XPath Injection;
• XML Attribute Blow-up Attacks;
• SOAP Array Abuse Attacks;
• XML External Entities Attacks;
• XML Entity Expansion Billion Laughs Attack;
• XML Entity Expansion Quadratic Blow-up Attacks;
• SQL Injection;
• Access Control Bypass;
• Insecure Administrative Interfaces;
• Vulnerable Software;
• Command Injection;
• SMTP Injection;
• Information Leakage;
• Insufficient Automation Protection;
• Insecure SSL Configurations;
• Denial of Service.

 
Once vulnerabilities are identified, the technical and business risks of each vulnerability are then estimated.

Dynamic Analysis

Thick Client App Pen Testing Best Practices

1. Test in all phases of the SDLC: Integrating security testing throughout the SDLC ensures that security is considered from the early stages of development. By testing in each phase, you can identify and address vulnerabilities and weaknesses early on, reducing the risk of security flaws being introduced.
2. Test the people, processes, and technology: Test all the factors that go into the creation of a successful application. This would include evaluating the knowledge, awareness, and adherence to secure practices among personnel involved in the application's development and maintenance, assessing the effectiveness of security policies, standards, and guidelines, and verify the implementation of security controls and evaluate the application's overall security posture.
3. Focused Penetration Testing: Focused penetration testing involves revisiting vulnerabilities identified in previous security assessments to determine if they have been adequately addressed. By retesting known vulnerabilities, you can verify the effectiveness of remediation efforts and ensure that the identified weaknesses have been properly resolved.
4. Use a balanced testing approach: Relying solely on a single testing approach is not sufficient to uncover all possible vulnerabilities. A balanced testing approach combines manual testing, automated scanning tools, and technical testing techniques to achieve comprehensive coverage. Manual testing allows for human creativity and intuition, while automated tools can help identify common vulnerabilities quickly. Technical testing involves in-depth analysis of the application's architecture, code, and security controls.
5. Document the results of testing: It is essential to document the findings, methodologies, and recommendations resulting from the penetration testing activities. Detailed documentation provides a clear record of identified vulnerabilities, steps to reproduce them, and suggestions for remediation. This documentation serves as a valuable reference for developers, security teams, and stakeholders involved in securing the thick client application.
6. Ongoing Monitoring and Maintenance: Penetration testing is not a one-time activity. It is important to establish an ongoing monitoring and maintenance process for the application's security. Regularly monitor the application for emerging vulnerabilities and threats, and promptly address any identified security issues. Keep up with security updates, patches, and upgrades for the application and its components.

Thick client applications often handle sensitive data and perform critical functions, making them lucrative targets for attackers. Moreover, organisations heavily rely on thick client applications for their day-to-day operations, emphasising the need for robust security measures. Regular testing of thick client applications is crucial to maintain their security posture and protect against evolving threats.

Proactive patching is particularly essential as the window between the discovery of a vulnerability and the exploitation by attackers continues to decrease. Timely patching helps to mitigate the risk of attacks targeting known vulnerabilities, ensuring that the thick client application remains secure against emerging threats.

 Evolve’s on-demand Automated Penetration Testing provides great coverage with deep testing that includes the latest vulnerabilities as they are released, for quicker risk identification and compliance all-year round. Our specialist security testers verify the results from the automated test to ensure that no efforts are spared when it comes to your security.