thick client application security assessment

Thick Client Application Security Assessment

Sanjay KumarInformation Security Specialistsanjay1519841@gmail.comPresented in NULL DELHI meet on 25th May 2013

Agenda

• Thick client application introduction

• Difference between Thick & Thin client

• Vulnerabilities applicable to Thick Client

• Approach to follow

• Useful tools

Introduction

A thick client, also known as Fat Client is a client in client–server architecture or network and typically provides rich functionality, independent of the server.

In these types of applications, the major processing is done at the client side and involves only a periodic connection to the server.

Architecture

Fig 1: Two Tier application

Fig 2: Three Tier application

Examples of Thick Client application

• Gtalk

• ERP (Enterprise Resource Planning

Software)

• Tally

• Skype

Difference between Thick & Thin Client application

Thick Client: – Installed on local computer(Client side)– Uses computer resources– Periodicaly sync with server remotely.– Use multiple ports & protocols (SMTP, TCP, HTTP/HTTPS)

Thin Client: – Webapplication which accessed from internet through

browser – Complete processing on server side– Uses HTTP/HTTPS protocol– Most common ports 80, 443, 8080– Example : google.com or yahoo.com

# Vulnerabilities Thin Client Thick Client

1 Improper Error Handling Applicable Applicable

2 SQL Injection Applicable Applicable

3 Cross Site Scripting Applicable Not Applicable

4 Click Jacking attacks Applicable Not Applicable

5 Insecure Configuration Management Applicable Applicable

6 Insecure Storage Applicable Applicable

7 Buffer Overflows Applicable Applicable

8 Reverse Engineering Not Applicable Applicable

9 Broken access control Applicable Applicable

10 Session management Applicable Applicable

Vulnerabilities applicable to Thick Client application

Approach to follow

• Intercept, analyze and modify request

traffic

• Behavioral approach like malware analysis

• Reverse Engineering (not a part of

presentation)

Intercept, analyze and modify request traffic

• Easiest approach• Redirect client traffic to local proxy• Useful tools: Burp, Webscarab, Echo Mirage,

Interactive TCP Relay, JavaSnoop, WireShark, Fiddler

Example: EchoMirage

Example: ITR

Behavioral approach

• Download SysInternal tools (http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx )

• Process Explorer• Tcp View• ProcMon• Auto run• Regshot• Wireshark (Not part of sysinternal tools)

Process Explorer

TCP View

Registry editor

Sensitive Information stored

Complete DB fetched

Error Message

Useful Recommendations

• Use three tier architecture instead of two tier application

• Encrypt traffic using strong algorithm• Validate user inputs for length, special characters

& code• Maintain adequate Audit trail• Do not store sensitive information like user

password in computer memory, files, registry or database in clear text format

• Default database port should not be use• Strong password policy• Session IDs used should be random and

unbreakable. • Application should handle the errors without

disclosing critical system information• Implement proper file permission on application

resources• Basic Hygine & System hardening• Proper patch management

…..Useful Recommendations

Thank You