I have been recently testing many thick client applications. Colleagues and friends have come to me inquiring what my approach is. In this post, I’d like to share my methodology to test thick clients to find security issues. A thick client is a type of application where the bulk of processing and operations happen at the client side or on the machine where the application is installed. Common examples of thick client applications are video games, audio video editing tools, Microsoft Office, etc.
Thick client security assessment can be divided into below four major parts.
- Static test
- Dynamic test
- System test
- Network test
Here we observe and test for potential issues in thick client binary file and related used files such as configuration and set-up.
- Source code decompilation
Based on the technology stack used to generate the binary file, one can attempt with a relevant decompiler to access the source code. For .Net, one can use ILSpy or dnSpy. Jd-gui or jadx for java based application. IDA Pro can be used for C/C++ with varied degree of success.
- Code Injection
If one is successful in decompiling the source code then attempt to introduce new or edit existing code to perform malicious actions such as a backdoor, etc. and recompile the application. If successful, we must report this flaw in application’s integrity validation.
- Configuration files in cleartext
If configuration and set-up files are in cleartext then they may contain information such as username, password, API key and other sensitive client server details. Report if such information found during inspection.
- Test storage mechanism
Observe how the application is storing data at rest. Report if it is in cleartext or base64 encoded form.
Here we interact with the application through various input data points and observe how it reacts to malicious inputs.
- Input validation
One must test all input fields for issues such as SQL injection, command injection, buffer overflow, file system attack, etc.
- Test File upload
If application provides file upload feature then test if one can upload malicious custom file. Also, test how does application parses very big file size.
- Broken authentication & session management
Test how application performs authentication and handles session management. Report the usage of weak password, possibility of user enumeration, improper session expiry, etc.
- Try connecting directly to server
Once you find the server’s IP address then try to directly connect to it and interact. If successful then we have bypassed validations and constraints enforced by the thick client application.
- Log forging
If the application is maintaining logs then attempt to tamper log entries with malicious out-of-band payloads, spoof data, append large data to file, etc.
- Weak GUI control
Inspect GUI controls of the application to learn if it is possible to enable additional/unintended features or options to current user. Tools that can aid in testing this are WinSpy++ and WinManipulate.
Here we observe and test for dependencies and interactions between application and the Operating System.
- Test for sensitive data in memory
Check RAM memory for how data is present when application is running. One can potentially find credential in cleartext and other important information. Winhex or ProcDump along with Volatility can extract and analyze memory.
- Dependency mapping
One can use Process Explorer and ProcMon from SysInternals Suite to observe what dependency the application has. We may find some juicy information and learn how the application functions. This knowledge will come handy to leverage in conjunction with other potential misconfiguration to attack.
- Privilege level
Using icacls, one should check for privilege/permissions on the files and directories the thick client uses. If any excessive permission found then it must be reported. One attack scenario is where directory in which application is installed have excessive permission. We also found some depended file, say a .dll, is missing while doing dependency mapping. We can now perform DLL hijacking by placing a malicious .dll file in that directory and the application will load it at runtime.
- Check if ASLR/DEP is enabled
Application binary and associated files such as .dll must be compiled with ASLR and DEP. This makes exploiting memory corruption difficult for attacker. If it is missing, then one must report it.
Here we observe and test network communication between client and server or any other connected entity.
- Testing transmission of sensitive data
Observe how data is passed over the wire. Report usage of sensitive data such as user credentials, personally identifiable information (PII), etc. transmitted in cleartext. Wireshark can be used to observe unencrypted transmission of sensitive information.
- Testing weak encryption
Usage of weak encryption such as MD5, RC4, etc. may result in broken authentication, spoofing attack, key leakage and poor integrity of data in transit and must be reported. Vulnerability scanners such as Nessus can help to spot weak encryption along with Wireshark to observe usage.
- Scan server for low hanging fruits
Use Nmap/Nessus to find what ports and services are open on the server along with OS version and patch level. If any unnecessary service is in use then research further to learn if there is any vulnerability present that can be leverage to attack the server.
- Testing SSL/TLS usage
In recent times many high impact issues such as Heartbleed, FREAK, logjam, etc. have been reported in the SSL/TLS protocols. One should check for presence of usage of weak cipher suites, security policies, deprecated protocols and misconfigurations. Tools that can aid in testing these are Nmap, sslscan, sslyze and OpenSSL.
I owe my learning to InfoSec community that helped me to developed methodology to assess thick client application. The data was scattered over the Internet so I’ve attempted to put it together in form of a checklist and contribute back to the community. This descriptive checklist is for quick reference and for those who are new to testing thick client application. If this helps you or you have any feedback then kindly let me know with a comment. Happy hunting!
Disclaimer: Any actions and/or activities related to the material contained within this post are solely your responsibility. The misuse of the information in this post can result in criminal charges brought against the persons in question. The author will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this post to break the law.