Comprehensive Thick Client Application Pentesting Checklist

By Het Mehta | Published: 2025-06-03 | Last Updated: 3/27/2026

Disclaimer

Performing penetration testing without explicit, written permission from the application owner is illegal and unethical. This content is provided for educational purposes only.

Introduction

This checklist provides a structured approach to thick client application penetration testing. Thick client applications - also known as fat clients or desktop apps that run directly on the user's machine and interact with local resources, the operating system, and often remote backend services. Unlike web apps, there is no WAF between the attacker and the application logic: debuggers can be attached directly to running processes, memory can be dumped and searched, and binaries can be reverse engineered entirely offline. This makes thick client VAPT both uniquely rewarding and uniquely complex.

This checklist aligns with the OWASP Thick Client Application Security Verification Standard (TASVS) and the OWASP Desktop App Security Top 10. It covers key phases from reconnaissance to detailed exploitation and reporting.

OWASP TASVS (Thick Client Application Security Verification Standard)
OWASP Desktop App Security Top 10
OWASP API Security Top 10 (for backend testing)

🧪 Testing Environment Setup

Before starting a thick client security assessment, setting up a clean, isolated testing environment is critical. Use a dedicated VM to avoid contaminating your host machine and to allow clean snapshots between test runs.

Phase 1: Information Gathering & Reconnaissance

The first step in any thick client penetration test is thoroughly understanding the application, like its architecture, technology stack, communication model, and local footprint. Knowing whether you're dealing with a 2-tier (client talks directly to DB) or 3-tier (client talks to app server which talks to DB) architecture fundamentally shapes the attack surface and testing priorities.

Identify Application Details:
- Obtain the installer/executable. Run it and explore basic functionality across all user roles (standard user, admin, etc.).
- Identify the application type and tech stack (Native C/C++, .NET, Java, Electron, Python/PyInstaller, etc.) using CFF Explorer or Detect It Easy (DIE).
```
# Quick file type identification on Linux/macOS
file /path/to/thickclient.exe

# Check if it's a .NET assembly on Windows (PowerShell)
[System.Reflection.AssemblyName]::GetAssemblyName("C:\path\to\thickclient.exe")

# Use Detect It Easy (DIE) or CFF Explorer for GUI-based identification
```
- Determine architecture: 2-tier (client ↔ DB) or 3-tier (client ↔ app server ↔ DB). 2-tier apps expose the DB directly and often have a much larger attack surface.
- Identify the installation directory, main executable, associated DLLs, config files, and local databases.
```
# On Windows, use Process Explorer to inspect loaded DLLs
# On Linux, list open files for a running process
lsof -p <PID> | grep "\.so"
```
- If Electron-based: note the app version, check for --inspect / --remote-debugging-port flags, and locate app.asar for JS source extraction.
- Tools: CFF Explorer, DIE (Detect It Easy), PEStudio, Process Explorer, lsof, file.
Map Attack Surface:
- Identify all communication channels (HTTP/S, custom TCP/UDP, Named Pipes, RPC, COM/DCOM, WebSockets, gRPC) by monitoring live traffic.
```
# Windows: list active connections with PID
netstat -ano | findstr ESTABLISHED

# Linux: list listening ports with process names (use ss, not netstat)
ss -tulpn

# Windows: real-time view using TCPView (Sysinternals)
```
- Identify all backend servers and API endpoints by monitoring live network traffic with Wireshark or TCPView during normal use.
- Identify local data storage locations (flat files, SQLite DBs, registry keys, temp files, log files) using Procmon filters.
```
# Procmon filter to catch only app file/registry writes
# Process Name is <app_name>.exe AND Operation is WriteFile OR RegSetValue
```
- Take a Regshot snapshot before and after install/login to diff all registry changes.
- Enumerate exposed IPC mechanisms: Named Pipes (\\.\pipe\), COM/DCOM objects (OLE/COM Object Viewer), RPC endpoints (RPCView).
- Tools: Procmon, Wireshark, TCPView, ss/netstat, Regshot, OLE/COM Object Viewer, RPCView, PipeViewer.

Phase 2: Static Analysis (SAST) 🔬

Static analysis of thick client applications involves examining binaries, decompiled code, and configuration files without running the application. This phase is where you'll find hardcoded credentials, weak cryptography, insecure storage patterns, and missing binary protections — all before writing a single exploit.

Binary Identification & Unpacking:

Check for packers/obfuscators (UPX, Themida, .NET Reactor, etc.) using Detect It Easy (DIE) or PEStudio. Attempt to unpack if possible.

# Unpack a UPX-compressed executable
upx -d /path/to/packed_executable.exe

# Detect It Easy (DIE) will identify packer, compiler, and framework

Decompile/disassemble the main executable and key DLLs. For .NET: use dnSpy, ILSpy, or dotPeek. For Java: use Jadx or JD-GUI. For native: use Ghidra or IDA Pro.

For Electron apps: extract app.asar to recover the full JS/HTML/CSS source.

# Extract Electron app.asar
npx asar extract app.asar ./extracted_source

# Then search the JS source for hardcoded secrets, nodeIntegration=true, etc.
grep -r "nodeIntegration\|contextIsolation\|allowRunningInsecureContent" ./extracted_source

Search binaries and all files for sensitive strings (credentials, keys, tokens, URLs).

# Extract and grep strings from a binary
strings /path/to/executable | grep -iE "password|api.key|secret|token|bearer|jdbc"

# On Windows using findstr
findstr /s /i "password api_key secret token" C:\path\to\app\*.*

Tools: DIE (Detect It Easy), PEStudio, CFF Explorer, Ghidra, IDA Pro, dnSpy, ILSpy, dotPeek, Jadx, JD-GUI, UPX, strings.

Binary Protection Checks (Windows):
A key thick client VAPT check that is often missed: verify that compiled binaries have modern exploit mitigations enabled. Missing protections raise the exploitability of any memory corruption bug found later.
- ASLR (Address Space Layout Randomization): Randomizes memory layout to make shellcode harder to aim. Check Dynamic Base flag is set.
- DEP / NX (Data Execution Prevention): Prevents execution from non-executable memory regions (stack, heap). Check NX Compat flag.
- SafeSEH (32-bit only): Validates exception handlers to prevent SEH overwrite exploits.
- CFG (Control Flow Guard): Restricts valid call targets to prevent ROP chain abuse.
- Authenticode / Code Signing: Verify that EXEs and DLLs are signed by a trusted publisher using Sigcheck.
- HighEntropyVA (64-bit): Enables high-entropy ASLR for 64-bit processes.
- Tools: PESecurity (NetSPI), BinSkim, PEStudio, CFF Explorer, Sigcheck, Process Explorer (Properties → Image tab).
Analyze Configuration Files & Resources:
- Review all config files (XML, INI, JSON, YAML, App.config, appsettings.json) for hardcoded credentials, API keys, connection strings, or debug flags.
```

<configuration>
  <appSettings>
    <add key="ConnectionString" value="Server=db01;Database=app;User=sa;Password=P@ssw0rd"/>
    <add key="DebugMode" value="true"/>
  </appSettings>
</configuration>
```
- Check embedded resources (PE .rsrc section, Java resource bundles, Electron assets) for secrets or vulnerable bundled components.
- Verify dependency versions for known CVEs. Use OWASP Dependency-Check or review packages.config / pom.xml / package.json manually.
- Tools: Text Editor / VS Code, Resource Hacker, grep / findstr, OWASP Dependency-Check.
Code Review (Decompiled Source):
- Hardcoded Secrets: Credentials, tokens, connection strings, API keys, JWT secrets, hardcoded admin/backdoor accounts.
- Insecure Local Storage: Sensitive data written to plaintext files, unprotected SQLite DBs, or registry keys readable by all users.
```
// Insecure: writing credentials to a plaintext file
FILE *fp = fopen("session.dat", "w");
fprintf(fp, "user=%s&pass=%s", username, password);
fclose(fp);
```
- Weak Cryptography: Weak algorithms (DES, 3DES, RC4, MD5, SHA-1), static IVs, ECB mode, hardcoded encryption keys, custom crypto implementations.
- Insecure Communications: Missing or bypassed certificate validation (e.g., trustAllCerts, always-true hostname verifier), use of HTTP for sensitive endpoints.
```
/* Insecure: always-true hostname verifier in Java */
HostnameVerifier allHostsValid = (hostname, session) -> true; // NEVER do this
```
- Input Validation Bugs: Buffer overflows (strcpy, sprintf without bounds), format string bugs, SQL injection in local DB queries (SQLite), command injection via shell_exec / Process.Start.
```
// Buffer overflow: no size check
char buffer[64];
strcpy(buffer, user_input);

// SQLite injection: unsanitized user input
sprintf(sql, "SELECT * FROM users WHERE name='%s'", user_input);
```
- Authentication Bypass Flags: Look for boolean flags like IsAuthenticated, IsAdmin, IsLicensed, BypassAuth, or hardcoded debug-mode switches.
- Electron-specific: Check for nodeIntegration: true, contextIsolation: false, allowRunningInsecureContent: true, missing sandbox flags, and vulnerable BrowserWindow configurations.
- Anti-Analysis: Note IsDebuggerPresent, anti-tampering checksums, license checks — these will need to be bypassed in dynamic analysis.
- Tools: dnSpy, ILSpy, dotPeek, Ghidra, IDA Pro, Jadx, Semgrep, Visual Code Grepper, grep / rg / findstr.

Phase 3: Dynamic Analysis (DAST) 🏃

Dynamic analysis means attacking the running application. This is where thick client pentesting gets truly unique: you can attach a debugger, patch memory at runtime, hook API calls, inject DLLs, and manipulate the GUI to reveal hidden functionality. The local execution model means there's no server-side safety net to catch your attacks.

GUI Testing:
GUI manipulation is a critical and often overlooked thick client attack surface. Disabled buttons, hidden fields, and masked inputs can all reveal security controls that exist only at the UI layer.
- Use WinSpy++ or Accessibility Insights to inspect all UI controls, including hidden and disabled elements.
- Attempt to enable disabled UI elements (buttons, menu items, form fields) that may control privileged operations. Disabled controls are a UI-only restriction, not a security control.
- Attempt to reveal hidden form objects (invisible text fields, hidden panels) that may contain sensitive data or bypass paths.
- Unmask password fields: Use WinSpy++ to change PasswordChar to 0 / null, or read the password text directly from the control's window handle.
```
# WinSpy++: right-click a password field → Properties → Style tab
# Change "Password" style bit to reveal plaintext
# Or use Spy++ (VS) / Accessibility Insights to read control content directly
```
- Test for improper error handling: input garbage, special characters, null bytes, and very long strings into every field. Check if error messages leak stack traces, file paths, or DB schema info.
- Check weak input sanitization: test all fields for SQLi, command injection, path traversal, and format string bugs — especially fields that interact with local resources.
- Tools: WinSpy++, Spy++ (Visual Studio), Accessibility Insights, UI Automation tools.
Process & File System Monitoring:
- Monitor process creation and termination. Look for unexpected child processes, privilege escalation attempts, or calls to cmd.exe / powershell.exe.
- Track file system reads/writes and registry changes during normal use and during all key workflows (login, license check, data export, update).
```
# Procmon filter for app-specific file and registry writes
# Process Name: <app_name>.exe
# Operation: WriteFile OR RegSetValue
# Result: SUCCESS
```
- Check permissions on application directories, data files, and log files — world-writable paths in C:\Program Files\ can enable DLL planting or log injection.
```
# Windows: check effective permissions
icacls "C:\Program Files\YourApp"
accesschk -wvu "Everyone" "C:\Program Files\YourApp"

# Linux: check permissions
ls -la /opt/YourApp
```
- Check log files for sensitive data leakage (plaintext passwords, session tokens, PII, stack traces in production builds).
- Tools: Procmon, Process Explorer, TCPView, AccessChk, icacls, ls.
Registry Analysis:
- Use Regshot to take before/after snapshots of the registry at key points (install, login, data save) and diff for sensitive entries written.
- Inspect app registry keys for stored credentials, API keys, license keys, session tokens, or configuration values that alter security behavior.
- Check registry key permissions — world-readable keys containing credentials or world-writable keys that control app behavior are direct findings.
```
# Check registry key ACLs
accesschk -kqsv "HKLM\Software\YourApp"

# Read a specific value
reg query "HKLM\Software\YourApp" /v DatabasePassword
```
- Tools: Regshot, Procmon (registry filter), Registry Editor (regedit), AccessChk.
Network Traffic Interception & Analysis:
- Intercept HTTP/S traffic via Burp Suite. For non-HTTP/S traffic (custom TCP, binary protocols), use Echo Mirage (WinSock hooking) or route through mitmproxy via ProxyCap/Proxifier.
- Analyze all traffic for unencrypted sensitive data, weak authentication tokens, or data that is merely encoded (e.g., Base64) rather than encrypted.
- Test SSL/TLS certificate validation: replace the server certificate with a self-signed one. If the app connects without error, certificate validation is broken.
```
# Wireshark filter for plain HTTP basic auth
http.authbasic

# Wireshark filter for a custom protocol port
tcp.port == 12345

# Force app traffic through Burp via ProxyCap: set SOCKS5 proxy to 127.0.0.1:8080
```
- Analyze TLS configuration of backend endpoints using testssl.sh or sslyze for weak ciphers and outdated protocol versions.
- Tools: Burp Suite, mitmproxy, Wireshark, Echo Mirage, ProxyCap/Proxifier, testssl.sh, sslyze.
Memory Analysis:
- Search process memory for sensitive data in plaintext (passwords, session tokens, PII, decrypted keys) after the application has loaded and the user has authenticated.
```
# Dump process memory with Process Hacker 2 / System Informer
# Right-click process → Properties → Memory → Save All

# Search a memory dump for strings
strings process_dump.dmp | grep -iE "password|token|secret"

# Use Volatility for forensic-style memory analysis
vol.py -f memory.raw --profile=Win10x64 procdump -p <PID> -D ./output/
```
- Check that sensitive data (passwords, private keys) is cleared from memory after use — use Process Hacker to inspect heap contents before and after logout.
- Tools: Process Hacker 2 / System Informer, HxD / 010 Editor, Cheat Engine, Volatility Framework, x64dbg.

API Hooking & Runtime Instrumentation:

Hook crypto functions (e.g., CryptEncrypt, BCryptEncrypt, CryptDeriveKey) to intercept plaintext data before encryption and keys in memory.

Hook authentication functions to understand the login flow and identify bypassable boolean checks (IsAuthenticated, IsLicensed).

// Frida: hook a .NET method to log arguments and force return value
// Example: bypass a license check returning false
const LicenseManager = Java.use("com.vendor.app.LicenseManager");
LicenseManager.isLicensed.implementation = function() {
    console.log("[*] isLicensed() called - forcing return true");
    return true;
};

// Hook Windows API: intercept data before encryption
const CryptEncrypt = Module.findExportByName("advapi32.dll", "CryptEncrypt");
Interceptor.attach(CryptEncrypt, {
    onEnter(args) {
        const len = args[5].readUInt();
        console.log("[CryptEncrypt] plaintext:", args[4].readByteArray(len));
    }
});

Consider DLL injection / sideloading to persistently hook the application or to test DLL hijacking vulnerabilities.
Tools: Frida, x64dbg / WinDbg (breakpoints), API Monitor, dnSpy (for .NET — set breakpoints directly in decompiled code and modify return values).

Inter-Process Communication (IPC) Testing:
- Connect to exposed Named Pipes and attempt to send unauthorized commands or fuzz the protocol.
```
# Python: connect to a Named Pipe and write a payload (Windows)
import win32file, win32pipe

handle = win32file.CreateFile(
    r"\\.\pipe\TargetAppPipe",
    win32file.GENERIC_READ | win32file.GENERIC_WRITE,
    0, None, win32file.OPEN_EXISTING, 0, None
)
win32pipe.SetNamedPipeHandleState(handle, win32pipe.PIPE_READMODE_MESSAGE, None, None)
win32file.WriteFile(handle, b'{"action":"adminCommand","user":"attacker"}')
result = win32file.ReadFile(handle, 4096)
print(result[1])
win32file.CloseHandle(handle)
```
- Enumerate COM/DCOM objects (OLE/COM Object Viewer), identify those with dangerous methods, and attempt to invoke them from a low-privilege context.
- Enumerate RPC endpoints using RPCView. Attempt to call exposed RPC methods with unauthorized inputs.
- Fuzz all IPC inputs with Boofuzz or custom scripts for crashes and unexpected behavior.
- Tools: PipeViewer, OLE/COM Object Viewer, RPCView, Boofuzz, custom Python/C# scripts.
Privilege Escalation & Local Exploit Checks:
- DLL Hijacking: Identify DLLs loaded from writable directories using Procmon (NAME NOT FOUND + CreateFile on DLL paths). Drop a malicious DLL to test code execution.
```
# Procmon filter for DLL hijacking opportunities
# Operation: CreateFile
# Path ends with: .dll
# Result: NAME NOT FOUND
# Then check if you have write access to that directory
```
- Unquoted Service Paths: Services with spaces in their path and no quotes allow attackers to plant executables in parent directories.
```
# Find unquoted service paths
wmic service get name,pathname,startmode | findstr /i "auto" | findstr /iv "c:\windows\\" | findstr /iv """"

# Check service binary permissions
icacls "C:\Program Files\YourApp\service.exe"
sc qc "YourService"
```
- Weak Service Permissions: Check if standard users can modify the service binary path or stop/start services using accesschk.
- Insecure Update Mechanism: Check if the auto-updater downloads and executes updates over HTTP, or without verifying signatures — a classic LPE vector.
- Tools: Procmon, AccessChk, icacls, sc, wmic, PowerSploit / PowerUp.
Input Fuzzing:
- Fuzz all user-controllable inputs: text fields, file uploads, command-line arguments, config file values, protocol messages.
```
# Fuzz a command-line argument with a long string
./thickclient.exe --config "$(python3 -c "print('A'*5000)")"

# Use Boofuzz for structured protocol fuzzing
# See: https://github.com/jtpereyda/boofuzz
```
- Monitor for crashes using a debugger or WER (Windows Error Reporting). A crash is potential evidence of a memory corruption bug.
- Tools: Boofuzz, custom Python scripts, x64dbg (crash monitoring), WinDbg (automated crash triage).

Phase 4: Network & Backend API Analysis ☁️

Even if the local thick client logic is secure, the backend API it communicates with may be vulnerable to the full range of web and API attacks. This phase treats the thick client as an API client and applies standard web application testing methodology to all intercepted traffic.

Intercept & Analyze Traffic:
- Proxy all application network traffic. Identify protocols beyond HTTP/S (WebSockets, gRPC, custom binary protocols, WCF/SOAP).
- Analyze TLS configuration using testssl.sh or sslyze against all backend endpoints.
- Look for sensitive data in cleartext or in base64/custom encoding that is not true encryption.
```
# testssl.sh: comprehensive TLS check
./testssl.sh https://backend.thickclientapp.com

# Wireshark: filter for plaintext HTTP basic auth
http.authbasic
```
- Tools: Burp Suite, mitmproxy, Wireshark, testssl.sh, sslyze.
Analyze Backend API Endpoints (Apply OWASP API Security Top 10):
- AuthN/AuthZ: Test brute-force protection, session management, token expiry, BOLA/IDOR (change object IDs), BFLA (call admin-only functions as a regular user).
- Input Validation: Test SQLi, NoSQLi, Command Injection, XXE, SSRF, XSS on all backend API inputs.
```
# IDOR/BOLA: change the resource ID in the intercepted request
GET /api/v1/users/123/report HTTP/1.1
Host: api.thickclientapp.com
Authorization: Bearer <token_for_user_123>

# XXE via intercepted XML request
POST /api/v1/import HTTP/1.1
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE x [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<data>&xxe;</data>
```
- Business Logic: Test discounts, quotas, multi-step workflows, and approval chains for logic bypasses. These are unique to each application and often invisible to automated scanners.
- Other Checks: Insecure Deserialization, Information Disclosure (verbose error messages, stack traces), Rate Limiting, Mass Assignment (sending extra JSON fields to modify server-side attributes).
- Tools: Burp Suite (Repeater, Intruder, Scanner), mitmproxy, Postman, curl, sqlmap, SecLists.

Phase 5: Reporting 📝

A great pentest is only as valuable as its report. For thick client engagements, make sure findings clearly explain the local execution context — reviewers unfamiliar with thick client testing may not immediately grasp why a disabled UI button or a world-writable DLL directory is a critical finding.

Document Findings:
Provide Actionable Remediation Recommendations: Suggest specific, developer-friendly fixes — not just "enable ASLR" but how to enable it for that specific build system.
Structure Report: Executive Summary, Methodology, Findings (sorted by severity), Conclusion, Appendices (tools used, full scope, evidence).
Communicate Results: Present findings to stakeholders (developers, product owners, management), prioritize fixes, and offer to verify remediation in a follow-up review.

📚 Resources

Conclusion

Thick client application penetration testing is one of the most comprehensive and technically deep forms of application security assessment. The local execution model exposes an attack surface that web app testing simply cannot reach — from binary protections and DLL hijacking to memory forensics and IPC abuse. Use this checklist as a living document, adapt it to the specific architecture and technology of each engagement, and stay current with the OWASP TASVS standard as it continues to evolve.