Fat Client Pentesting: Hands-On Decompilation & Exploitation - Guest Lecture at Hochschule München University of Applied Sciences

28. June 2024

Last Tuesday, usd visited the Hochschule München University of Applied Sciences for the second time as part of the "IT Security" lecture series. Our colleague Merten Nagel, Managing Consultant and Pentester at usd HeroLab, gave students an introduction to the topic of "Fat Client Pentesting" followed by a practical task.

"In order to give the students practical insights into our daily work, I decided to do a hands-on workshop. After all, trying things out and testing them yourself is one of the best ways to learn in pentesting."

Merten Nagel

The workshop started with an insight into the basics. For example, questions such as: What is a fat client? What are the most common vulnerabilities? And how does a pentest work? In general, fat clients are desktop applications that can be a valuable target for attackers. Vulnerabilities in these applications allow unauthorized access to the server-side business logic of a user's entire application landscape, including all the data stored there. With fat client pentests, these vulnerabilities can be proactively identified and subsequently fixed in time.

Once the basics had been clarified, the students, equipped with pizza and drinks, set about the practical task. Using VuCSA, a Java application for pentesting fat clients, they tested the methods of hackers themselves by exploiting an SQL injection and command execution in a provided application. Afterwards, the students had the opportunity to ask questions about daily work at usd AG and share their experiences in a relaxed atmosphere. As part of our efforts to grow the security community, our colleagues are always eager to visit German universities and share our daily work as cyber security professionals.

Also interesting:

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

Current developments in AI systems show that vulnerabilities are found more quickly, suitable exploits are developed more quickly, and attacks are increasingly implemented automatically. This significantly reduces the time between discovery and exploitation. What used...

Bafin Publishes 9th Amendment to MaRisk

Bafin Publishes 9th Amendment to MaRisk

On 30 June 2026, all credit institutions and financial services institutions in Germany received an important circular: Following the consultation phase, the German Federal Financial Supervisory Authority (Bafin) published the 9th amendment to its Minimum Requirements...

usd AG Listed as EPI Partner for Mobile Security Evaluations

usd AG Listed as EPI Partner for Mobile Security Evaluations

The popularity of mobile payments is growing, and with it, the demand for verified security. usd AG is expanding its activities in the EPI environment and will also conduct Mobile Security Evaluations in the future. This places us among the few EPI-listed Security...

Categories

Categories