thick client application security assessment
DESCRIPTION
Introduction Difference between Thin & Thick client Approach of security testing Vulnerabilities applicable to thick client General recommendationsTRANSCRIPT
![Page 1: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/1.jpg)
Thick Client Application Security Assessment
Sanjay KumarInformation Security [email protected] in NULL DELHI meet on 25th May 2013
![Page 2: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/2.jpg)
Agenda
• Thick client application introduction
• Difference between Thick & Thin client
• Vulnerabilities applicable to Thick Client
• Approach to follow
• Useful tools
![Page 3: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/3.jpg)
Introduction
A thick client, also known as Fat Client is a client in client–server architecture or network and typically provides rich functionality, independent of the server.
In these types of applications, the major processing is done at the client side and involves only a periodic connection to the server.
![Page 4: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/4.jpg)
Architecture
Fig 1: Two Tier application
Fig 2: Three Tier application
![Page 5: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/5.jpg)
Examples of Thick Client application
• Gtalk
• ERP (Enterprise Resource Planning
Software)
• Tally
• Skype
![Page 6: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/6.jpg)
Difference between Thick & Thin Client application
Thick Client: – Installed on local computer(Client side)– Uses computer resources– Periodicaly sync with server remotely.– Use multiple ports & protocols (SMTP, TCP, HTTP/HTTPS)
Thin Client: – Webapplication which accessed from internet through
browser – Complete processing on server side– Uses HTTP/HTTPS protocol– Most common ports 80, 443, 8080– Example : google.com or yahoo.com
![Page 7: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/7.jpg)
# Vulnerabilities Thin Client Thick Client
1 Improper Error Handling Applicable Applicable
2 SQL Injection Applicable Applicable
3 Cross Site Scripting Applicable Not Applicable
4 Click Jacking attacks Applicable Not Applicable
5 Insecure Configuration Management Applicable Applicable
6 Insecure Storage Applicable Applicable
7 Buffer Overflows Applicable Applicable
8 Reverse Engineering Not Applicable Applicable
9 Broken access control Applicable Applicable
10 Session management Applicable Applicable
Vulnerabilities applicable to Thick Client application
![Page 8: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/8.jpg)
Approach to follow
• Intercept, analyze and modify request
traffic
• Behavioral approach like malware analysis
• Reverse Engineering (not a part of
presentation)
![Page 9: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/9.jpg)
Intercept, analyze and modify request traffic
• Easiest approach• Redirect client traffic to local proxy• Useful tools: Burp, Webscarab, Echo Mirage,
Interactive TCP Relay, JavaSnoop, WireShark, Fiddler
![Page 10: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/10.jpg)
Example: EchoMirage
![Page 11: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/11.jpg)
![Page 12: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/12.jpg)
![Page 13: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/13.jpg)
Example: ITR
![Page 14: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/14.jpg)
![Page 15: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/15.jpg)
Behavioral approach
• Download SysInternal tools (http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx )
• Process Explorer• Tcp View• ProcMon• Auto run• Regshot• Wireshark (Not part of sysinternal tools)
![Page 16: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/16.jpg)
Process Explorer
![Page 17: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/17.jpg)
TCP View
![Page 18: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/18.jpg)
Registry editor
![Page 19: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/19.jpg)
Sensitive Information stored
![Page 20: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/20.jpg)
Complete DB fetched
![Page 21: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/21.jpg)
Error Message
![Page 22: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/22.jpg)
Useful Recommendations
• Use three tier architecture instead of two tier application
• Encrypt traffic using strong algorithm• Validate user inputs for length, special characters
& code• Maintain adequate Audit trail• Do not store sensitive information like user
password in computer memory, files, registry or database in clear text format
![Page 23: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/23.jpg)
• Default database port should not be use• Strong password policy• Session IDs used should be random and
unbreakable. • Application should handle the errors without
disclosing critical system information• Implement proper file permission on application
resources• Basic Hygine & System hardening• Proper patch management
…..Useful Recommendations
![Page 24: Thick client application security assessment](https://reader036.vdocuments.site/reader036/viewer/2022081716/54846261b4af9faa0d8b4b58/html5/thumbnails/24.jpg)
Thank You