Thick Client Application Security Assessment
Sanjay KumarInformation Security [email protected] in NULL DELHI meet on 25th May 2013
Agenda
• Thick client application introduction
• Difference between Thick & Thin client
• Vulnerabilities applicable to Thick Client
• Approach to follow
• Useful tools
Introduction
A thick client, also known as Fat Client is a client in client–server architecture or network and typically provides rich functionality, independent of the server.
In these types of applications, the major processing is done at the client side and involves only a periodic connection to the server.
Architecture
Fig 1: Two Tier application
Fig 2: Three Tier application
Examples of Thick Client application
• Gtalk
• ERP (Enterprise Resource Planning
Software)
• Tally
• Skype
Difference between Thick & Thin Client application
Thick Client: – Installed on local computer(Client side)– Uses computer resources– Periodicaly sync with server remotely.– Use multiple ports & protocols (SMTP, TCP, HTTP/HTTPS)
Thin Client: – Webapplication which accessed from internet through
browser – Complete processing on server side– Uses HTTP/HTTPS protocol– Most common ports 80, 443, 8080– Example : google.com or yahoo.com
# Vulnerabilities Thin Client Thick Client
1 Improper Error Handling Applicable Applicable
2 SQL Injection Applicable Applicable
3 Cross Site Scripting Applicable Not Applicable
4 Click Jacking attacks Applicable Not Applicable
5 Insecure Configuration Management Applicable Applicable
6 Insecure Storage Applicable Applicable
7 Buffer Overflows Applicable Applicable
8 Reverse Engineering Not Applicable Applicable
9 Broken access control Applicable Applicable
10 Session management Applicable Applicable
Vulnerabilities applicable to Thick Client application
Approach to follow
• Intercept, analyze and modify request
traffic
• Behavioral approach like malware analysis
• Reverse Engineering (not a part of
presentation)
Intercept, analyze and modify request traffic
• Easiest approach• Redirect client traffic to local proxy• Useful tools: Burp, Webscarab, Echo Mirage,
Interactive TCP Relay, JavaSnoop, WireShark, Fiddler
Example: EchoMirage
Example: ITR
Behavioral approach
• Download SysInternal tools (http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx )
• Process Explorer• Tcp View• ProcMon• Auto run• Regshot• Wireshark (Not part of sysinternal tools)
Process Explorer
TCP View
Registry editor
Sensitive Information stored
Complete DB fetched
Error Message
Useful Recommendations
• Use three tier architecture instead of two tier application
• Encrypt traffic using strong algorithm• Validate user inputs for length, special characters
& code• Maintain adequate Audit trail• Do not store sensitive information like user
password in computer memory, files, registry or database in clear text format
• Default database port should not be use• Strong password policy• Session IDs used should be random and
unbreakable. • Application should handle the errors without
disclosing critical system information• Implement proper file permission on application
resources• Basic Hygine & System hardening• Proper patch management
…..Useful Recommendations
Thank You