Thick Client Application Security Testing

Introduction

Thick client applications are any that are installed locally on a user's desktop/laptop. These applications are full-featured and can run independently without being connected to the Internet, unlike web applications, which need to be connected to the Internet all the time. Some examples of thick client applications are:

 

  1. Computer games like Call of Duty, Uncharted, etc.
  2. Web browsers
  3. Music players
  4. Video and chat tools like Teams, Zoom, Slack, etc.

 

Thick client applications come in two flavors:

 

  1. Two-Tier Applications: These are self-contained applications where the server/database and client are installed on the same machine or same internal network. Traffic from the thick client goes to the server directly without passing through an intermediary like the Internet or application server.
  2. Three-Tier Applications: These applications can connect over the Internet and have their business logic processed by an application server. The thick client resides on the user's desktop while the application server and database might be present elsewhere. Network connections and interactions typically usually happen using HTTP/S protocols, which allow for traditional requests / responses to occur. In addition, some thick clients may use alternate protocols like FTP/S, TCP, UDP, etc.

 

 

How different is the testing of thick clients compared to web applications?

Thick clients are generally easier to test, as they usually don’t have complex business logic and processing capabilities compared to web applications. This table illustrates the difference in vulnerabilities that are applicable to web applications vs. thick clients.

 

No Vulnerabilities Applicable for Web App Applicable for Thick Client
1. Session Management Y Y
2. Error Handling Y Y
3. SQL Injection Y Y
4. XSS / CSRF / Clickjacking and other web specific attacks Y N
5. Improper Access Control / Parameter Tampering Y Y
6. Reverse Engineering N Y
7. Insecure Storage Y Y
8. Hardcoded sensitive data N Y
9. DoS Y Y
10. DLL Hijacking / Buffer Overflow N Y

 

Other vulnerabilities include:

 

  • Insecure update management (e.g. insecure protocols for updates, untrusted sources for updates, unsigned patches)
  • Insecure cryptographic storage (caches, passwords in memory / disk / registry, etc.)
  • Environmental issues (insecure user permissions on files/folders)
  • Privilege escalation through IPC communications (e.g. local IPC listener runs as SYSTEM/root, client can pass commands to listener)
  • Insecure compilation options (lack of DEP and ASLR protections)

 

The OWASP Top 10 needs to be checked for any web apps that may interface with the thick client.

 

No OWASP Top 10 Vulnerability Applicable for Web App
1. Broken Access Control Y
2. Cryptographic Failures Y
3. Injection Y
4. Insecure Design Y
5. Security Misconfiguration Y
6. Vulnerable and Outdated Components Y
7. Identification and Authentication Failures Y
8. Software and Data Integrity Failures Y
9. Security Logging and Monitoring Failures Y
10. Server-Side Request Forgery Y

 

 

Tools for testing thick clients

There are far fewer tools available for testing thick clients than web-based apps. Many tools are no longer under active development, and some have been ported to web / mobile environments.

 

Tools used for testing thick clients include:

 

  1. Echo Mirage – This is the Swiss army knife of thick client testing tools. Echo Mirage, which is similar to Burp / OWASP Zap, allows for traffic between client and server to be intercepted. Unlike Burp, there is no certificate to be installed locally (even though Echo Mirage can intercept encrypted traffic between client and server).
  2. Sysinternals Suite – This comprehensive suite of tools from Microsoft allows testers to see what processes are spawned by the thick client application and the registry entries created or accessed by the thick client. Procmon and Regmon are two of the common tools in Sysinternals used to check for processes and registry entries. The suite also contains many other tools.
  3. Mallory – This Linux-based tool can be used to capture TCP / UDP traffic.
  4. dnspy / Dot Peek / .Net Reflector – .Net based thick clients may have hardcoded data or source code which may not be obfuscated. dnSpy and Dot Peek allow for deobfuscation and inspection of DLL files. .Net Reflector is a commercial tool which allows for decompilation of DLLs and for debugging.
  5. Burp Invisible Mode – Burp has an invisible mode which allows for capturing traffic for proxy-unaware thick clients. This can be done by binding the loopback address to the remote domain / IP address. BAPP has NoPE Burp Extension, which is a good add-on for working with thick client traffic.
  6. Wireshark – This versatile packet capture tool can be used for traffic analysis of unknown protocols that Burp / Echo Mirage may not capture.
  7. Java Snoop – For Java thick clients, this allows for interception of any method in the JVM. Java Snoop works on existing Java processes by attaching itself to the running process.
  8. Text Editors – Thick clients frequently leverage configuration files stored within the local system in plain text, often as .config or .ini files. Text editors can be used to inspect these config files for any sensitive content, such as hardcoded passwords, access tokens and keys, etc.
  9. Ollydbg / IDA Pro – Useful for reverse-engineering EXE and DLL files. Hex Editors and Strings are other tools which can be useful when searching for strings / keywords.
  10. Nmap – Useful for inspecting ports used by the thick client.
  11. Spy++ – This ships with Visual Studio and can be used for GUI Tampering.

 

 

Thick client testing process

 

Image
sz_think_client_image001.png

 

 

Echo Mirage in action

These screenshots show to how to configure Echo Mirage to capture traffic going to and from a thick client.

 

Echo Mirage Startup Screen

 

Image
sz_think_client_image002.png

Figure 1: Echo Mirage Startup Screen

 

Identify the application intended to run

 

Image
sz_think_client_image003.png

Figure 2: Running IE in Echo Mirage

 

Capturing request / response

 

Image
sz_think_client_image004.png

Figure 3: Response Capture from IE

 

Echo Mirage configuration

 

Image
sz_think_client_image005.png

Figure 5: Configuration Options

 

 

Conclusion

This blog highlights different tools and approaches for testing a thick client application for vulnerabilities. The tools have remained the same over a period of time and there are no major changes in the way thick client applications have been assessed when compared to web / mobile applications, where introduction of new frameworks / technologies have given rise to new tools / methods for testing.

Senior Consultant | Optiv
Senior Consultant for the Application Security team in Optiv’s Threat Management practice.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to more than 7,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.