Friday, October 12, 2007

Thick Client Application Security

This article discusses the top vulnerabilities in a two tier thick client application.

Thick client is defined as an applicationclient that processes data in addition to rendering. An example of thick client application would be a VB.NET or Java Swing application that communicates with a database.

I have generally observed in these types of applications have weak access controls, weak authentication management, information disclosure, improper error handling or application crash.

It is interesting to note that most of the Open Web Application Security Project (OWASP) Top 10 vulnerabilities are as applicable to Thick Client applications as they are to web applications.

Let us map them for simplicity.

Sr

OWASP Top 10 (Web Apps)

Thick Client

1

Unvalidated Input

Unvalidated Input

2

Broken Access Control

Broken Access Control

3

Broken Authentication & Session Management

Weak Authentication & Session Management

4

Cross-Site Scripting Flaws

Not Applicable

5

Buffer Overflows

Buffer Overflows

6

Injection Flaws

Injection Flaws

7

Improper Error Handling

Improper Error Handling

8

Insecure Storage

Insecure Storage

9

Denial of Service

Denial of Service

10

Insecure Configuration Management

Insecure Configuration Management


4 comments:

  1. Hi Dharmesh,

    I am responsible for developing thick clients in my organization and was not aware of such kind of flaws that exists in thick client apps.

    Thanks. This is a good info.
    I will definitely share this with few other people.

    ReplyDelete
  2. Hi,

    Your blog has good articles. I like reading them. Let me know how I can subscribe to RSS feeds to your blog.

    ReplyDelete
  3. Hi,

    It was a nice session in Pune and am surprised to find u on internet having a blog..

    Great.

    ReplyDelete
  4. Hi, I am new to performance testing.So far I have tested for web based applications only. And would like to do for thick clients as well. Can you suggest tools for doing performance testing of thick clients. I have been using silk performer for last 6 months for web based applications.

    ReplyDelete