Thick-Client Security

Website Security
December 18, 2013
Product Security Testing
December 19, 2013

Thick-Client Security

A thick client (Fat Client) is a client in the client–server network or architecture. These are heavy applications that normally entail the installation of application on the user computer/ client side. These types of application run on the computer’s memory and therefore the application’s security depends upon the local computer.

These are actually the fully functional applications whether it is connected to a network or not. To run the thick client successfully, the IT team of an organization need to maintain the robust security to software deployment other than the maintaining the applications on the server side.

Our Methodology

We provide the complete security assessment for thick client applications. Maintaining the thick client applications secure is not the easy going task. The thick client applications also involve the server side processing and therefore it calls upon a different approach to become ensure for the security aspects.

Our approach to Thick Client security Assessments take account of the review of data communication paths, server-side controls, and other client-related issues.

We make the efforts to bypass the authentication controls, evaluate the data communications functionality, memory, file structure, registry and other forms that can make for the possible denial of service (DOS) attacks.

By reviewing these attack vectors, we can deliver you the complete report for the security condition for an application.

Our Focus Areas

  • Network transmissions
  • Client-side injection such as cross-site scripting and SQL injection
  • Failure to implement the authorization policy
  • Failure to protect key data/ resources
  • Absence of data protection
  • Insecure client-side storage
  • Data storage such as Files, Windows registry, databases and other application’s executable files.

What We Do

We assess the security threats for thick client applications. We use some of the following techniques to bypass the client side validation for the correct evaluation of security aspects.

Main-in-The-Middle Attack

  • Interrupt the client – server communication
  • It does not require to understand the application code. It is one of the fastest way for security testing the application.

Reverse Engineer

  • Identify the client – server communication code
  • Disable the client side validation
  • It can be the time consuming task and it depends upon the application technology.

Simulating As a New Client

  • Simulate the client – server communication and control the communication flow.
  • It needs to be familiar with scripting languages. It also depends upon the application in hand and time consuming task as well.