Pentest Fat Clients

Protect your native applications

What are entry points for attackers?

Companies often use so-called fat clients for various internal and external business functions, which are often developed in C/C++, .NET or Java and run natively on the operating system without being accessible via the browser. These applications are often developed in-house and can pose a high risk to corporate IT security. Since the analysis of a fat client differs significantly from a web application analysis in terms of the approach taken by analysts, vulnerabilities in fat clients are often overlooked.

During our fat client pentest, our security analysts comprehensively analyze your native applications running on Windows or Unix systems and identify possible entry points for attackers.

Common vulnerabilities include:

  • Lack of or weak access control (Broken Access Control)
  • Use of IT components with known vulnerabilities
  • Missing or weak server-side privilege validation
  • Escalation of user privileges (Privilege Escalation)

What is our approach to Fat Client Pentests?

Our pentests are conducted according to a standardized approach, which is enhanced by specific aspects for fat client pentests:

Conducting fat client pentests requires a high level of technical expertise as well as in-depth understanding of the programming language used, such as C/C++, .NET or Java. We focus especially on the analysis of the data traffic between client and server and the correct check of access rights on the server side when analyzing a fat client. We often develop our own client as a means of communication with the server and as a proof of concept in order to verify and exploit the identified attack vectors.


What checks are included in Fat Client Pentests?

These checks are part of fat client pentests, among others:

  • Check for OWASP TOP 10 (e.g. vulnerability in session management)
  • Analysis of the connection setup between client and server including the functions used
  • Analysis of business and application logic
  • Analysis of files and registry entries created by the application
  • Verification of the architecture of the client

Depending on the programming language, we optionally perform code reviews for critical applications. Here, we analyze the source code for security vulnerabilites and enable an highly in-depth analysis. In addition, we check compliance with recognized secure coding guidelines and best practices.

Are your systems protected against attackers?

We are happy to discuss your options for analyzing your fat clients by our security analysts. Feel free to contact us.

More Insights

Pentest: Our standardized approach

Pentest: Your benefits at a glance



Please contact us with any questions or queries.


Phone: +49 6102 8631-190
Contact Form


Daniel Heyne
usd Team Lead Sales,
Security Consultant Pentest, OSCP, OSCE