Pentest: Fat-Clients

Protect your native applications

What are entry points for attackers?

Companies often use so-called fat clients for various internal and external business functions, which are often developed in C/C++, .NET or Java and run natively on the operating system without being accessible via the browser. These applications are often developed in-house and can pose a high risk to corporate IT security. Since the analysis of a fat client differs significantly from a web application analysis in terms of the approach taken by analysts, vulnerabilities in fat clients are often overlooked.

During our fat client pentest, our security analysts comprehensively analyze your native applications running on Windows or Unix systems and identify possible entry points for attackers.

Common vulnerabilities include:

icon schwachstelle orange 003
  • Lack of or weak access control (Broken Access Control)
  • Use of IT components with known vulnerabilities
  • Missing or weak server-side privilege validation
  • Escalation of user privileges (Privilege Escalation)

What is our approach?

Our pentests are conducted according to a standardized approach, which is enhanced by specific aspects for fat client pentests:

Conducting fat client pentests requires a high level of technical expertise as well as in-depth understanding of the programming language used, such as C/C++, .NET or Java. We focus especially on the analysis of the data traffic between client and server and the correct check of access rights on the server side when analyzing a fat client. We often develop our own client as a means of communication with the server and as a proof of concept in order to verify and exploit the identified attack vectors.

 

What checks are included?

These checks are part of fat client pentests, among others:

  • Check for OWASP TOP 10 (e.g. vulnerability in session management)
  • Analysis of the connection setup between client and server including the functions used
  • Analysis of business and application logic
  • Analysis of files and registry entries created by the application
  • Verification of the architecture of the client
icon symbol orange 007 2

Depending on the programming language, we optionally perform code reviews for critical applications. Here, we analyze the source code for security vulnerabilites and enable an highly in-depth analysis. In addition, we check compliance with recognized secure coding guidelines and best practices.

usd pentest webseite IV 1

Are your systems protected against attackers?

We are happy to discuss your options for analyzing your fat clients by our security analysts. Feel free to contact us.

Contact

 

Please contact us with any questions or queries.

 

Phone: +49 6102 8631-190
Email: sales@usd.de
PGP Key
S/MIME
Contact Form

 

Daniel Heyne
usd Team Lead Sales,
Security Consultant Pentest, OSCP, OSCE