0000004716 00000 n 0000019227 00000 n 0000007599 00000 n
Infosec Skills helps you: 0000003007 00000 n Thick Client Penetration Testing The thick client application needs a continuous connection to the server. Such information is lethal for compromising the application. 0000052280 00000 n 0000053586 00000 n 0000018312 00000 n 0000015036 00000 n 44 0 obj 0000162366 00000 n 0000160994 00000 n 0000000016 00000 n
– The VB.NET application directly communicating with the database using Open Database Connectivity)These kinds of thick client applications involve three tiers, wherein the client talks to the application server, which in turn talks to the database. 0000160569 00000 n Thick client applications are not new having been in existence for a long time, however if given to perform a pentest on thick clients, it is not as simple as a Web Application Pentest.Thick clients are majorly used across organizations for their internal operations.In this series of articles, we will learn various tools and techniques used to perform thick client application penetration testing.A step by step breakdown being deployed, we will discuss about starting with the very basics to the advanced test cases.Referenced under multiple names, such as: Fat client/Heavy client/Rich client/Thick client, such applications follow a client–server architecture.For an easy to understand approach, thick clients are applications which are deployed locally on our systems. With that said, thin client apps are only as fast and reliable as the user’s internet connection and the server’s bandwidth.Examples of thin client application are web-sites like google.com or yahoo.com.The thick client applications are made of two types:The two tier thick client application consists of the user computer and the server. 0000015422 00000 n 0000016595 00000 n 0000016946 00000 n Thick client – server using HTTP over SSL to communicate - Techniques Configuring the server’s certificate If the Java client application ships with the server’s certificate as part of the (signed) JAR, then you will need to decompile, modify the JAR, recompile and resign the JAR Decompile the JAR Extract the JAR www.foundstone.com 149 0 obj GADI007 is an Information Security Professional with experience in network and Web application penetration testing. Please do post some more useful articles on thick client applications.Good website, hope to provide some more about cs client testing methods and casesAt Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. 0000021875 00000 n The table below provides a mapping. 0000052401 00000 n By instructing the client to open its connection to the ITR instead of the server, the entire connection is shifted to work through the ITR, without the client or the server noticing a difference.This tool can be used to intercept the methods, alter data and also test the security of JAVA applications on your computer.In the following sections, we will discuss the critical vulnerabilities faced by thick client application.During the installation and execution of thick client applications, these apps tend to write/modify sensitive details in the files and registries. Ambitious about his goals, he always makes sure to solve the security issues he finds.
This means that the security of the application is dependent on the local computer.Thick clients are often not well-suited for public environments. 0000159628 00000 n The industry underestimates the importance of thick client application security testing leaving all the related concerns in the responsibility of the software publishers.Being generally more complicated and customized than web or mobile apps, thick client software needs specific approach when it comes to security audit.Apriorit performs all types of security audit–white box and black box internal and external security testing. Tweet Author GADI007. If by replacing the actual DLLs with malicious file with the same name, this can lead to critical findings in the application.Many a times configuration files of the application reveals URL, Server credentials/ Cryptographic keys/ Hardcoded passwords. These application take up memory and run completely on the computers resources. This can be configured within a virtual machine environment using only network interfaces.
hŞb``P``àbf`g`T 0000162088 00000 n 0000107646 00000 n Thick Clients. 0000009328 00000 n 0000160424 00000 n 0000013018 00000 n
Serial No. The complete processing is carried out on the server. THICK CLIENT APPLICATION SECURITY ASSESSMENT Thick client Application Security Assessment Standa rds we follo w OWASP PTES SANS OSSTMM WASC NIS T SP800 - 115 Appr oac h Scope Of the security Assessment, Thick Client Application Complexity, Onsite/Offsite Execution, Time frame and support, ShortTime/Long time contract Duration and Commercials 0000015945 00000 n Do note performing thick client sql injection needs patience and is a time consuming task. 0000054734 00000 n OWASP Top Ten Most Critical Web Application Vulnerabilities Thick Client Most Critical Application Vulnerabilities 1. 0000016331 00000 n 0000017065 00000 n © 2020 SecureLayer7.
0000055473 00000 n 0000160717 00000 n 0000008183 00000 n 0000054468 00000 n 0000017594 00000 n
Free Training Tools. 0000005848 00000 n 0000010079 00000 n 0000004190 00000 n 0000161796 00000 n Testing these types of Thick Clients is easy and straightforward due to the fact that interception of requests is easier. 0000013727 00000 n 0000054589 00000 n %PDF-1.7 %âãÏÓ 0000161609 00000 n 43 107 The team starts with research of the software system, potential targets and attackers and then builds a custom vulnerability assessment plan.