PENTEST: FAT CLIENTSPROTECT YOUR NATIVE APPLICATIONS
WHAT ARE ENTRY POINTS FOR ATTACKERS?
Companies often use so-called fat clients for various internal and external business functions, which are often developed in C/C++, NET. or Java and run natively on the operating system without being accessible via the browser. These applications are often developed in-house and can pose a high risk to corporate IT security. Since the analysis of a fat client differs significantly from a web application analysis in terms of the approach taken by analysts, vulnerabilities in fat clients are often overlooked.
During our fat client pentest, our security analysts comprehensively analyze your native applications running on Windows or Unix systems and identify possible entry points for attackers.
COMMON VULNERABILITIES INCLUDE:
- Lack of or weak access control (Broken Access Control)
- Use of IT components with known vulnerabilities
- Missing or weak server-side privilege validation
- Escalation of user privileges (Privilege Escalation)
Conducting fat client pentests requires a high level of technical expertise as well as in-depth understanding of the programming language used, such as C/C++, .NET or Java. We focus especially on the analysis of the data traffic between client and server and the correct check of access rights on the server side when analyzing a fat client. We often develop our own client as a means of communication with the server and as a proof of concept in order to verify and exploit the identified attack vectors.
WHAT CHECKS ARE INCLUDED?
These checks are part of fat client pentests, among others:
- Check for OWASP TOP 10 (e.g. vulnerability in session management)
- Analysis of the connection setup between client and server including the functions used
- Analysis of business and application logic
- Analysis of files and registry entries created by the application
- Verification of the architecture of the client