EN ID TH
Penetration Testing → Thick Client

Thick Client Penetration Testing

CREST-accredited thick client penetration testing for desktop applications, covering local storage, communication, authentication, cryptography, and reverse engineering risks.

Thick client applications, desktop trading platforms, banking workstations, healthcare records systems, industrial control software, remain the backbone of many regulated environments. They are also poorly understood from a security standpoint, often relying on assumptions that no longer hold: that the user is trusted, that the network is internal, that the binary cannot be inspected.

Thick client testing combines static analysis of the binary, dynamic analysis of the running application, and inspection of the communication protocols it uses to talk to backend services. Common environments include .NET (WPF / WinForms), Java (Swing / JavaFX), Electron, native Windows / macOS / Linux applications, and Citrix-published desktops.

Most thick client engagements end up surfacing two distinct categories of risk: local-machine weaknesses (data at rest, credential storage, escalation paths) and protocol-level weaknesses in how the application talks to its server (authentication, authorisation, replay protection).

Why it matters

What's at stake.

Server-side assumptions get tested differently here

Thick clients ship logic to the user's machine. Anything assumed to be "trusted client behaviour" can be modified by an attacker who can run their own debugger.

Legacy protocols often persist

Thick client backends often run on older protocols, custom TCP, deprecated SOAP, raw socket frames, with security characteristics that have never been formally reviewed.

Scope & Coverage

What we test.

Application controls

  • Local storage weaknesses
  • Authentication flaws
  • Improper cryptography
  • Improper authorisation (server-side checks bypassable from client)
  • Sensitive data exposure in memory or disk

Runtime, protocol & build

  • Communication protocol weaknesses
  • Insecure communication
  • Security misconfiguration
  • Known vulnerable components
  • Reverse engineering exposure
  • Insufficient logging
  • Update / auto-update integrity
What we typically find

The flaws engagements like this consistently surface.

Drawn from common categories our consultants surface across engagements of this type. Severity and prevalence vary by environment and maturity.

Trusted client logic

Authorisation enforced only on the client; price or permission checks done in the GUI but not on the server; admin features hidden by UI but reachable by direct protocol message.

Credentials and tokens at rest

Cached credentials in local files unprotected, tokens in registry, embedded credentials in the binary for legacy service accounts.

Protocol weaknesses

Custom protocols without integrity protection, replay-tolerant authentication, deprecated TLS still accepted on management channels.

Update channel risk

Auto-update over HTTP without signature verification, update server reachable without authentication, downgrade attacks possible.

Engagement Model

A structured, intelligence-led path through every engagement.

Every engagement follows the same disciplined path through the Velocity platform, so quality, traceability, and reporting are consistent across teams.

Scoping

Define assets, environments, Rules of Engagement, and acceptance criteria with the technical and security stakeholders.

Execution

Manual and tool-assisted testing by CREST-accredited consultants, with evidence captured at each step.

Validation

Every finding is reproduced, risk-rated under CVSS, and confirmed by a second consultant before reporting.

Reporting

Cryptographically signed reports with test-case traceability, severity ratings, reproduction steps, and remediation guidance.

Debrief & Retest

Stakeholder walk-through of findings, prioritisation support, and a retest cycle on remediated issues.

Standards & Frameworks

Mapped to recognised baselines.

OWASP ASVS
OWASP Top 10
NIST guidance
Vendor framework guidance (Microsoft, Oracle, Electron)
Frequently Asked

Common buyer questions.

Do you need source code? +

Helpful but not required. Thick client engagements commonly proceed from binary only, disassembly, debugging, and protocol analysis. Source access accelerates findings for static-code categories.

Will you test the backend service too? +

Usually yes, the value of testing the client without testing what it talks to is limited. Combined engagements are standard.

Test Your Defences Against Adversarial Expertise

Talk to a CREST-accredited consultant about your next penetration testing engagement.

Speak to an Expert