Three-tier architecture has a security advantage over two-tier architecture, because it prevents the end-user from communicating directly with the database server. The most common communication method in these applications may be carried out using HTTP/HTTPS. In three-tier architecture, the client communicates with an application server, which in turn talks to the database in a manner similar to a regular web application. For example, imagine an HR application that was installed on the client computer and, in order to retrieve the employees’ information, communicates directly with the HR database server. The application is installed on the client computer and, in order to work, will need to communicate with a database server. In two-tier architecture, the thick client application implements a client-to-server communication. In this section, we provide an overview of the common architectures that Thick Client application developers tend to use. Common Architectures of Thick Client applications Figure 1: A series of tests and the associated tools necessary to perform tasks related to thick client testing. The main focus areas have been derived from the OWASP Windows Binary Executable Files Security Checks Project. Thick client applications can be developed using various programming languages such as: Moreover, the methodology refers to relevant tools in each section that can be used during pentests engagements. We began researching pentesting thick client applications in order to eventually build an overarching methodology for pentesters which would serve as single source to reference for everything to with pentesting thick client applications, summarizing all the relevant and up-to-date knowledge on the subject. This blog post aims to provide a security check-list and a number of tools to refer to when assessing the security of Windows executable files to achieve better pentest results. For example, here is a couple of vulnerabilities found by security researchers: Unlike web applications or infrastructure pentests, thick client pentests have a more notable success rate because the client is available locally and, hence, critical vulnerabilities may be found during the engagements. Thick client testing can be exciting for pentesters because the attack surface of these applications can be significant. Moreover, the process often requires specialized tools and custom testing setup. Simple automated assessment scanning is not sufficient and testing thick client applications requires a lot of patience and a methodical approach. Thick client pentesting involves both local and server-side processing and often uses proprietary protocols for communication. Due to the adoption of hybrid infrastructure architecture, thick-client applications can become a better target for attackers. Thick client applications have been around for many years and can still be found within a variety of organizations – across industries and sizes. 3.2.3 Identifying Interesting Files Bundled with the Thick Client Application.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |