Thick client Applications Pentesting Checklist
Information gathering
**Information Gathering**
- [ ] Find out the application architecture (two-tier or three-tier)
- [ ] Find out the technologies used (languages and frameworks)
- [ ] Identify network communication
- [ ] Observe the application process
- [ ] Observe each functionality and behavior of the application
- [ ] Identify all the entry points
- [ ] Analyze the security mechanism (authorization and authentication)
**Tools Used**
- [ ] CFF Explorer
- [ ] Sysinternals Suite
- [ ] Wireshark
- [ ] PEid
- [ ] Detect It Easy (DIE)
- [ ] Strings
GUI testing
**Test For GUI Object Permission**
- [ ] Display hidden form object
- [ ] Try to activate disabled functionalities
- [ ] Try to uncover the masked password
**Test GUI Content**
- [ ] Look for sensitive information
**Test For GUI Logic**
- [ ] Try for access control and injection-based vulnerabilities
- [ ] Bypass controls by utilizing intended GUI functionality
- [ ] Check improper error handling
- [ ] Check weak input sanitization
- [ ] Try privilege escalation (unlocking admin features to normal users)
- [ ] Try payment manipulation
**Tools Used**
- [ ] UISpy
- [ ] Winspy++
- [ ] Window Detective
- [ ] Snoop WPF
File testing
**Test For Files Permission**
- [ ] Check permission for each and every file and folder
**Test For File Continuity**
- [ ] Check strong naming
- [ ] Authenticate code signing
**Test For File Content Debugging**
- [ ] Look for sensitive information on the file system (symbols, sensitive data, passwords, configurations)
- [ ] Look for sensitive information on the config file
- [ ] Look for Hardcoded encryption data
- [ ] Look for Clear text storage of sensitive data
- [ ] Look for side-channel data leakage
- [ ] Look for unreliable log
**Test For File And Content Manipulation**
- [ ] Try framework backdooring
- [ ] Try DLL preloading
- [ ] Perform Race condition check
- [ ] Test for Files and content replacement
- [ ] Test for Client-side protection bypass using reverse engineering
**Test For Function Exported**
- [ ] Try to find the exported functions
- [ ] Try to use the exported functions without authentication
**Test For Public Methods**
- [ ] Make a wrapper to gain access to public methods without authentication
**Test For Decompile And Application Rebuild**
- [ ] Try to recover the original source code, passwords, keys
- [ ] Try to decompile the application
- [ ] Try to rebuild the application
- [ ] Try to patch the application
**Test For Decryption And DE obfuscation**
- [ ] Try to recover original source code
- [ ] Try to retrieve passwords and keys
- [ ] Test for lack of obfuscation
**Test For Disassemble and Reassemble**
- [ ] Try to build a patched assembly
**Tools Used**
- [ ] Strings
- [ ] dnSpy
- [ ] Procmon
- [ ] Process Explorer
- [ ] Process Hacker
REGISTRY TESTING
**Test For Registry Permissions**
- [ ] Check read access to the registry keys
- [ ] Check to write access to the registry keys
**Test For Registry Contents**
- [ ] Inspect the registry contents
- [ ] Check for sensitive info stored on the registry
- [ ] Compare the registry before and after executing the application
**Test For Registry Manipulation**
- [ ] Try for registry manipulation
- [ ] Try to bypass authentication by registry manipulation
- [ ] Try to bypass authorization by registry manipulation
**Tools Used**
- [ ] Regshot
- [ ] Procmon
- [ ] Accessenum
NETWORK TESTING
**Test For Network**
- [ ] Check for sensitive data in transit
- [ ] Try to bypass firewall rules
- [ ] Try to manipulate network traffic
**Tools Used**
- [ ] Wireshark
- [ ] TCPview
ASSEMBLY TESTING
**Test For Assembly**
- [ ] Verify Address Space Layout Randomization (ASLR)
- [ ] Verify SafeSEH
- [ ] Verify Data Execution Prevention (DEP)
- [ ] Verify strong naming
- [ ] Verify ControlFlowGuard
- [ ] Verify HighentropyVA
**Tools Used**
- [ ] PESecurity
MEMORY TESTING
**Test For Memory Content**
- [ ] Check for sensitive data stored in memory
**Test For Memory Manipulation**
- [ ] Try for memory manipulation
- [ ] Try to bypass authentication by memory manipulation
- [ ] Try to bypass authorization by memory manipulation
**Test For Run Time Manipulation**
- [ ] Try to analyze the dump file
- [ ] Check for process replacement
- [ ] Check for modifying assembly in the memory
- [ ] Try to debug the application
- [ ] Try to identify dangerous functions
- [ ] Use breakpoints to test each and every functionality
**Tools Used**
- [ ] Process Hacker
- [ ] HxD
- [ ] Strings
TRAFFIC TESTING
**Test For Traffic**
- [ ] Analyze the flow of network traffic
- [ ] Try to find sensitive data in transit
**Tools Used**
- [ ] Echo Mirage
- [ ] MITM Relay
- [ ] Burp Suite
COMMON VULNERABILITIES TESTING
**Test For Common Vulnerabilities**
- [ ] Try to decompile the application
- [ ] Try for reverse engineering
- [ ] Try to test with OWASP WEB Top 10
- [ ] Try to test with OWASP API Top 10
- [ ] Test for DLL Hijacking
- [ ] Test for signature checks (Use Sigcheck)
- [ ] Test for binary analysis (Use Binscope)
- [ ] Test for business logic errors
- [ ] Test for TCP/UDP attacks
- [ ] Test with automated scanning tools (Use Visual Code Grepper - VCG)
Shaped by: Hariprasaanth R
Reach Me: LinkedIn Portfolio Github
Last update: 2023-09-27 Created: February 16, 2023 21:24:34