Comprehensive Thick Client Application Pentesting Checklist 🔥

By Het Mehta | Published: 2025-06-03 | Last Updated: 6/11/2025

Introduction

This checklist provides a structured approach to thick client application penetration testing. Thick client applications, unlike web or mobile apps, often run directly on the user's machine, interacting with local resources, the operating system, and potentially remote backend services. This introduces unique attack surfaces and testing methodologies.

It covers key phases from reconnaissance to detailed analysis, drawing inspiration from general application security principles and specific thick client attack vectors.

🧪 Testing Environment Setup

Ensure you have the necessary tools and environment for thick client VAPT:

• Virtual Machine: Dedicated VM (Windows, Linux, macOS) for isolated testing.
• Debuggers: x64dbg (Windows), WinDbg (Windows), GDB (Linux), LLDB (macOS).
• Disassemblers/Decompilers: Ghidra, IDA Pro, dnSpy (.NET), JD-GUI (Java), JEB Decompiler.
• Proxies: Burp Suite (for HTTP/S), Fiddler (for HTTP/S, .NET), Wireshark (for raw network traffic), ProxyCap/Proxifier (for non-HTTP/S application proxying).
• Process Monitoring: Sysinternals Suite (Procmon, Process Explorer, Autoruns) (Windows), `strace`/`lsof` (Linux).
• Memory Analysis:s Cheat Engine, OllyDbg, Volatility Framework.
• File System Tools: SQLite Browser, Registry Editor (Windows), `find`/`locate` (Linux/macOS).
• IPC Tools: Named Pipe/COM explorers (e.g., PipeViewer, OLE/COM Object Viewer).
• Fuzzers: Peach Fuzzer, Sulley, custom scripting tools (e.g., Python `socket` for custom protocols).

Phase 1: Information Gathering & Reconnaissance

• Identify Application Details:
  • Obtain installer/executable and run it to understand basic functionality.
  • Note app name, version, developer, intended use, and any associated documentation.
  • Identify application type (Native C/C++, .NET, Java, Electron, Python, etc.) using tools like `file` or PE-bear.

    # On Linux/macOS to identify file type
    file /path/to/thickclient.exe
    
    # On Windows (using PowerShell to check .NET assembly)
    [System.Reflection.AssemblyName]::GetAssemblyName("C:\path\to\thickclient.exe")
    

  • Identify installation directory, main executable, and associated files (DLLs, configuration files, databases).

    # On Windows, use Process Explorer to see loaded DLLs
    # On Linux, use lsof to list open files by a process
    lsof -p <PID> | grep .so
    

  • Tools: File Explorer, `tasklist`/`ps`, `strings`, `file` command, PE-bear, Process Explorer, `lsof`.
• Map Attack Surface:
  • Understand communication protocols (HTTP/S, custom TCP/UDP, Named Pipes, RPC, COM/DCOM) using network monitoring tools.

    # On Windows, list active connections and associated executables
    netstat -ano | findstr ESTABLISHED
    
    # On Linux, list listening ports and associated processes
    sudo netstat -tulpn
    

  • Identify backend servers/endpoints (if any) by monitoring network traffic.
  • Identify local data storage locations (files, registry, databases) using process monitors.

    # On Windows, use Procmon to filter for File System and Registry activity
    # Filter: Process Name is <app_name>.exe, Operation is WriteFile/RegSetValue
    

  • Enumerate exposed APIs/interfaces (COM objects, IPC mechanisms) using specific explorers.

    # On Windows, use OLE/COM Object Viewer to enumerate COM objects
    # For Named Pipes, look for \\.\pipe\ entries in Procmon or use PipeViewer.
    

  • Tools: Procmon, Wireshark, `netstat`, `regedit`, `lsof`, OLE/COM Object Viewer, PipeViewer.

Phase 2: Static Analysis (SAST) 🔬

• Binary Analysis & Decompilation:
  • Check for packing/obfuscation (e.g., UPX, Themida) and attempt to unpack if possible.

    # Unpack UPX compressed executable
    upx -d /path/to/packed_executable.exe
    

  • Decompile/Disassemble the main executable and relevant DLLs/libraries. Focus on key functions, imports, and exports.
  • Search for interesting strings (URLs, error messages, function names, hardcoded paths, sensitive keywords like "password", "key", "admin").

    # Extract printable strings from a binary
    strings /path/to/executable | grep -i "password\|api_key\|secret"
    
    # On Windows using findstr
    findstr /s /i "password api_key secret" C:\path\to\app\*.*
    

  • Tools: Ghidra, IDA Pro, dnSpy, JD-GUI, JEB Decompiler, `strings`, PE-bear, UPX.
• Analyze Configuration Files & Resources:
  • Review XML, INI, JSON, or other configuration files for sensitive data (e.g., database credentials, API keys) or insecure settings (e.g., debug modes enabled).

    <!-- Example: Insecure configuration in a .NET App.config -->
    <configuration>
      <appSettings>
        <add key="DatabaseConnectionString" value="Data Source=server;Initial Catalog=db;User ID=sa;Password=admin"/>
        <add key="DebugMode" value="true"/>
      </appSettings>
    </configuration>
    

  • Check embedded resources (e.g., `.rsrc` section in PE files, resource bundles in Java) for secrets or vulnerable components.
  • Tools: Text Editor, Hex Editor, Resource Hacker, `grep`/`findstr`.
• Code Review (if source/decompiled code available):
  • Hardcoded Secrets: Search for API keys, credentials, connection strings, encryption keys, tokens. Look for patterns like `const char* password = "..."` or `string apiKey = "..."`.
  • Insecure Data Storage: Look for unencrypted storage of sensitive data in local files, registry, or databases. Check for use of plain text or weak encoding.

    // Example: Insecure file write in C
    FILE *fp = fopen("sensitive_data.txt", "w");
    fprintf(fp, "Username: %s\nPassword: %s\n", username, password);
    fclose(fp);
    

  • Weak Cryptography: Identify weak algorithms (DES, MD5), static IVs, ECB mode, improper key management, or custom crypto implementations. Ensure proper use of secure random number generators.
  • Insecure Communications: Check for hardcoded certificates, missing certificate validation (e.g., `trustAllCerts`), or use of HTTP instead of HTTPS for sensitive data.

    /* Example: Insecure hostname verifier in Java */
    import javax.net.ssl.HostnameVerifier;
    import javax.net.ssl.SSLSession;
    
    HostnameVerifier allHostsValid = new HostnameVerifier() {
        public boolean verify(String hostname, SSLSession session) {
            return true; /* ALWAYS returns true - INSECURE! */
        }
    };
    

  • Input Validation: Look for potential buffer overflows (e.g., `strcpy`, `sprintf` without size checks), format string bugs, command injection, SQL injection in local database interactions (e.g., SQLite).

    // Example: Buffer overflow vulnerability
    char buffer[10];
    strcpy(buffer, user_input); /* No size check */
    
    // Example: SQL Injection in local SQLite DB
    sqlite3_snprintf(1024, sql, "SELECT * FROM users WHERE username='%q'", user_input);
    

  • Vulnerable Libraries:s Check versions of third-party libraries against known CVEs using tools like Retire.js (for Electron/JS apps) or dependency-check.
  • Anti-Analysis: Note presence of anti-debugging, anti-tampering, or anti-reverse engineering techniques (e.g., `IsDebuggerPresent`, checksumming).
  • Tools: Decompilers (Ghidra, IDA Pro, dnSpy), `grep`/`rg`/`findstr`, SAST tools (e.g., Semgrep, SonarQube, Fortify), specific language linters.

Phase 3: Dynamic Analysis (DAST) 🏃

• Process & File System Monitoring:
  • Monitor process creation, termination, and privilege levels. Look for unexpected child processes or privilege escalation attempts.
  • Track file system access (reads, writes, deletes) and registry changes. Identify where sensitive data is stored and if it's protected.

    # Procmon filter example for sensitive file access
    # Process Name: <app_name>.exe
    # Path: C:\Users\<username>\AppData\Local\<app_data_folder>\*
    # Operation: WriteFile, RegSetValue
    # Result: SUCCESS
    

  • Check for insecure file/folder permissions on application directories or data files.

    # On Windows, check permissions
    icacls "C:\Program Files\YourApp"
    
    # On Linux, check permissions
    ls -la /opt/YourApp
    

  • Tools: Procmon, Process Explorer, Autoruns, `icacls`, `ls`.
• Network Traffic Interception & Analysis:
  • Intercept all network traffic (HTTP/S, custom TCP/UDP, other protocols) using a proxy or network sniffer. Configure tools like Burp Suite or Fiddler to proxy non-HTTP/S traffic (e.g., SOCKS proxy).
  • Analyze for unencrypted sensitive data, weak authentication, or insecure session management.
  • Test for SSL/TLS certificate validation bypasses (e.g., if the app accepts self-signed certs or doesn't pin certificates).

    # Wireshark filter for specific custom protocol port
    tcp.port == 12345
    
    # Using ProxyCap/Proxifier to force thick client traffic through Burp/Fiddler
    # Configure application to use SOCKS proxy (Burp's default is 8080)
    

  • Tools: Burp Suite, Fiddler, Wireshark, ProxyCap/Proxifier.
• Memory Analysis:
  • Dump process memory and search for sensitive information (passwords, keys, PII, session tokens) in plain text or easily decipherable formats.

    # Using Volatility to dump process memory (example for Windows)
    vol.py -f <memory_dump.raw> --profile=Win7SP1x64 procdump -p <PID> -D .
    
    # Searching for strings in a memory dump (Linux)
    strings <process_dump.dmp> | grep -i "password\|token"
    

  • Identify and analyze dynamically loaded libraries or code for malicious injection or unexpected behavior.
  • Tools: Cheat Engine, OllyDbg, x64dbg, Volatility Framework.
• API Hooking & Instrumentation:
  • Hook relevant WinAPIs (or equivalent for other OS like `libc` functions) to inspect function calls, arguments, and return values. Focus on file I/O, network I/O, cryptography, and authentication functions.
  • Modify function behavior at runtime to bypass checks (e.g., license checks, anti-debugging) or inject malicious data.

    // Example: Frida script to hook and log parameters of a Windows API (e.g., CryptEncrypt)
    // This is conceptual; actual implementation depends on the specific API and target
    // Load the specific module if not already loaded
    const advapi32 = Module.findExportByName("advapi32.dll", "CryptEncrypt");
    
    if (advapi32) {
        Interceptor.attach(advapi32, {
            onEnter: function (args) {
                console.log("CryptEncrypt called!");
                console.log("hKey:", args[0]);
                console.log("hHash:", args[1]);
                console.log("fFinal:", args[2].toInt32());
                console.log("dwFlags:", args[3]);
                console.log("pbBuffer (input data):", args[4].readByteArray(args[5].readUInt()));
                this.pbBufferLen = args[5]; // Store pointer to length
            },
            onLeave: function (retval) {
                console.log("CryptEncrypt returned:", retval);
                console.log("pbBuffer (output data):", this.pbBufferLen.readByteArray(this.pbBufferLen.readUInt()));
            }
        });
    }
    

  • Consider DLL injection for persistent hooking or code execution.
  • Tools:s Frida, API Monitor, x64dbg/OllyDbg (for setting breakpoints and modifying registers/memory).
• Inter-Process Communication (IPC) Testing:
  • Test Named Pipes, Shared Memory, COM/DCOM objects for unauthorized access, injection, or manipulation. Attempt to connect to and interact with exposed IPC endpoints.

    # Example: Python script to connect to a Named Pipe (Windows)
    import win32file
    import win32pipe
    
    pipe_name = r"\\.\pipe\MyApplicationPipe"
    try:
        handle = win32file.CreateFile(
            pipe_name,
            win32file.GENERIC_READ | win32file.GENERIC_WRITE,
            0, None,
            win32file.OPEN_EXISTING,
            0, None
        )
        # Write/Read data to/from the pipe
        win32pipe.SetNamedPipeHandleState(handle, win32pipe.PIPE_READMODE_MESSAGE, None, None)
        win32file.WriteFile(handle, b"ATTACK_COMMAND")
        resp = win32file.ReadFile(handle, 4096)
        print(f"Received: {resp[1].decode()}")
        win32file.CloseHandle(handle)
    except Exception as e:
        print(f"Error: {e}")
    

  • Fuzz IPC inputs for crashes, unexpected behavior, or injection vulnerabilities.
  • Tools: Custom scripts (Python, C#), PipeViewer, OLE/COM Object Viewer, RPCView.
• Input Fuzzing & UI Manipulation:
  • Fuzz all user-controllable inputs (text fields, file uploads, command line arguments, configuration file inputs) for crashes, buffer overflows, format string bugs, or injection vulnerabilities.

    # Example: Fuzzing command line arguments with a long string
    ./thickclient.exe --config "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."
    
    # Example: Fuzzing a configuration file with malformed XML/JSON
    # Create a malformed config.xml and launch the app with it
    

  • Test for UI-based vulnerabilities like clickjacking, insecure clipboard usage, or insecure drag-and-drop functionality.
  • Tools: Peach Fuzzer, Sulley, custom fuzzing scripts, UI Automation tools (e.g., AutoIt, PyAutoGUI).
• Privilege Escalation & Local Exploits:
  • Test if a standard user can gain administrative privileges through the application (e.g., insecure update mechanisms, weak service permissions, insecure file writes to protected directories).
  • Check for DLL hijacking vulnerabilities by placing malicious DLLs in search paths.
  • Analyze services created by the application for weak permissions or unquoted service paths.

    # On Windows, check service permissions (replace "YourService" with actual service name)
    sc qc "YourService"
    icacls "C:\Program Files\YourApp\YourService.exe"
    
    # Check for unquoted service paths using wmic
    wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
    

  • Tools: Metasploit, specific privilege escalation tools (e.g., PrintSpoofer, JuicyPotato), `accesschk`, `sc`, `wmic`.

Phase 4: Network & Backend API Analysis ☁️

• Intercept & Analyze Traffic:
  • Proxy all application network traffic. Identify protocols beyond HTTP/S (e.g., custom binary protocols, WebSockets, gRPC).
  • Analyze TLS configuration (weak ciphers, certificate issues, pinning). Use tools like `testssl.sh` or `sslyze` against backend endpoints.
  • Look for sensitive data sent over unencrypted channels or weak encryption, or data that is merely encoded (e.g., Base64) but not encrypted.

    # Example Wireshark filter for unencrypted HTTP basic auth
    http.authbasic
    
    # Check for custom protocols in Burp/Fiddler and use their extensibility to parse
    # For binary protocols, manual analysis or custom scripts might be needed.
    

  • Tools: Burp Suite, Fiddler, Wireshark, `testssl.sh`, `sslyze`.
• Analyze Backend API Endpoints (Apply OWASP API Security Top 10):
  • AuthN/AuthZ: Test authentication (weak credentials, brute-force, default credentials), session management, BOLA/IDOR (change IDs in requests), BFLA (access restricted functions by changing roles/permissions).
  • Input Validation: Test for SQLi, NoSQLi, Command Injection, XXE, SSRF, XSS on all inputs to backend APIs. Fuzz parameters with common attack payloads.

    # Example: Testing for SQL Injection in an API parameter
    POST /api/v1/search HTTP/1.1
    Host: backend.thickclientapp.com
    Content-Type: application/json
    
    {"query": "product' OR 1=1--"}
    
    # Example: Testing for Command Injection in a backend endpoint
    POST /api/v1/execute_command HTTP/1.1
    Host: backend.thickclientapp.com
    Content-Type: application/json
    
    {"command": "ping 127.0.0.1 & whoami"}
    

  • Other Checks: Insecure Deserialization, Information Disclosure (e.g., verbose error messages, sensitive data in responses), Rate Limiting bypasses, Mass Assignment, Server-Side Request Forgery (SSRF).
  • Tools: Burp Suite (Repeater, Intruder, Scanner), ZAP, Postman, `curl`, `sqlmap`, SecLists.
  • Payload Concepts: Standard web payloads adapted to API context, specific to thick client protocols if applicable.

  # Example: Testing for Insecure Direct Object Reference (IDOR) on a backend API
  # This would be part of the traffic intercepted from the thick client
  GET /api/v1/user_data?id=123 HTTP/1.1  --> Change '123' to another user's ID
  Host: backend.thickclientapp.com
  Authorization: Bearer <valid_token_for_user_123>
  ...
  
  # Example: Testing for XXE via XML payload
  POST /api/v1/xml_parser HTTP/1.1
  Host: backend.thickclientapp.com
  Content-Type: application/xml
  
  <?xml version="1.0"?>
  <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
  <data>&xxe;</data>
  

Phase 5: Reporting 📝

• Document Findings:
  • Detail each vulnerability (Description, Proof of Concept, Impact).
  • Include clear evidence (screenshots, logs, memory dumps, network captures, code snippets).
  • Assign severity (e.g., CVSS v3.1) and provide a clear risk rating.
• Provide Actionable Remediation Recommendations: Suggest specific fixes and best practices for developers.
• Structure Report: Executive Summary, Methodology, Findings, Conclusion, Appendices (tools used, scope).
• Communicate Results:s Present findings to stakeholders (developers, product owners, management), prioritize fixes, and follow up on remediation efforts.

📚 Resources

• OWASP Reverse Engineering and Code Analysis Project
• OWASP API Security Top 10
• Sysinternals Suite Documentation
• Frida - Dynamic Instrumentation Toolkit
• Ghidra - Software Reverse Engineering Framework
• IDA Pro - Disassembler and Debugger
• Burp Suite by PortSwigger
• Fiddler Web Debugging Proxy
• Wireshark - Network Protocol Analyzer
• SecLists - The Security Tester's Companion
• Volatility Framework - Memory Forensics

Conclusion

This checklist provides a robust framework for conducting thick client application penetration tests. Remember that thick client applications often present unique challenges due to their interaction with the local operating system and diverse underlying technologies. Adapt your testing based on the specific application's architecture and always stay updated with the latest security research and tools.