
Author talks introduce his approach to thick client penetration testing, offering post-course google meet sessions and practical guidance to test and analyze thick client applications.
Learn aggressive thick client penetration testing across desktop apps on Windows, Mac, and Linux, covering server, client, and network attacks with OWASP top ten and API top ten guidance.
Outline the prerequisites for offensive thick client penetration testing, requiring Hunter 2.0 and API penetration testing, plus familiarity with OWASP top ten and OWASP API top ten.
Explore why thick client penetration testing matters: thick client apps attract attackers, span many industries, require manual, planned testing of client and server sides with custom tools and proprietary protocols.
Set up a lab for thick client penetration testing, using a vulnerable dotnet lab, VirtualBox, Visual Studio, and app.config with sql and ftp server settings.
Set up a thick client three-tier lab by configuring the base API server, building with docker and docker compose, and wiring the ubuntu servers with host mappings for login testing.
Set up a two-tier architecture lab using the beta bank vulnerable thick client; configure files, build the solution, run docker compose to start the database server, and create an account.
Explore the most common thick client architectures, including two-tier client–server models with local or remote databases, and three-tier designs with application servers and APIs over HTTP/HTTPS.
This lecture contrasts thick client desktop applications that sync with servers via multiple ports and protocols with thin web clients that run on the server and use http or https.
Explore how the OWASP top ten applies to thick client pentesting, including injection and XML data exposure, while noting limited applicability of cross-site scripting and clickjacking.
Develop a structured thick client pen-testing plan starting with GUI review, then files and folders, registry, memory, network traffic, and configuration review, before using Burp Suite and OWASP guidance.
Examine thick client gui attack surfaces by testing object permissions, hidden form objects, disabled functionality, unmasked passwords, and gui logic, including sql queries and external program execution.
Examine thick client attack surfaces by assessing file and folder permissions, continuity, and content; test for manipulation, code signing integrity, backdoors, DLL preloading, and sensitive data exposure in configurations.
Analyze binary files in thick client apps through static and dynamic analysis, reverse engineering, and deobfuscation; identify exported methods, bypass authentication, and patch assemblies.
Investigate registry attack surfaces by testing read and write permissions on registry keys, inspecting registry contents written after login for sensitive data, and manipulating registry to bypass authentication and authorization.
Explore network attack surfaces in thick client applications, covering two- and three-tier architectures, firewall evasion, sensitive data in transit, and manipulation of network traffic through sql queries and dns spoofing.
Explore memory attack surfaces in thick client applications, including process controls, memory content, and runtime manipulation, focusing on privilege escalation, insecure storage, and debugging.
Examine thick client application configurations and attack surfaces, including user and service privileges, service registrations, database access, remote share permissions, and disk configuration analysis for pentesting.
Analyze information gathering in thick client pen testing by mapping architectures (two-tier and three-tier), identifying technologies and reverse engineering approaches, observing application functionalities and entry points, and mapping attack surfaces.
Identify the languages and frameworks behind a thick client using explorer suite, cff explorer, and detect it easy to determine a dot net assembly built with Microsoft Visual Studio.
Identify application network communications with TCP view and Wireshark to reveal destination IPs, ports, and clear text sql queries between thick clients and databases.
Learn to use procmon to hunt application processes, monitor creation and registry writes, and assess how login credentials may be stored or modified in a thick client.
Discover thick client GUI hunting by identifying GUI elements and vulnerabilities in windows forms and Java applets, using UI Spy, WinSpy Plus+, Windows Detective, Snoop WPF, and Win Cheat.
Explore how thick client applications reveal hidden data through remember me vulnerabilities and manipulated user interface elements, using tools like Win Spy and Windows Detective to retrieve passwords.
Explore how hidden UI elements and client-side visibility controls can enable privilege escalation in a thick client app, revealing admin features and bypassing authorization when server-side checks are absent.
this lecture demonstrates payment manipulation through ui abuse by manipulating on-screen prices and grid data. it shows tester accounts and client-side flaws that enable unauthorized payments.
Examine how hidden admin UI exposure lets a client reveal admin features and sensitive data by bypassing authorization and input validation, demonstrated with a beta bank application.
Explore licensing abuse in thick client applications by manipulating timestamps to extend licenses, analyzing client-side time changes versus server-side controls.
Analyze how applications write to the registry and file system after login to uncover sensitive data such as credentials and database connection strings, and identify insecure storage or plaintext practices.
Explore how sensitive information can reside in files and the registry on a thick client, demonstrated with procmon filters, registry keys, and unencrypted credentials and payment data.
Examine how a thick client app leaks sensitive data through registry and files, enabling unauthenticated SQL queries and client-side manipulation of login details, profiles, and passwords.
Explore how application log file analysis reveals sensitive data like database credentials, passwords, and FTP details by inspecting runtime logs, highlighting risks in production environments.
Analyze application config files to reveal database credentials, base64 passwords, api endpoints, and other sensitive information; understand how this facilitates exploitation in three-tier architectures.
Expose insecure config file analysis leads to discovering database credentials, enabling login via SQL Server authentication; decode Base64 passwords to access the database server.
Perform memory analysis on two-tier applications to uncover sensitive information such as usernames, passwords, and database connection strings stored in memory, using Process Hacker to search for strings.
Analyze memory handling to uncover sensitive information exposed in memory, using dumps, hex editors, and strings tools. Learn to search for usernames and passwords and report issues.
Modify data in an application's main memory using a hex editor to alter in-memory sql queries and user data, then save changes to test the expenses view for vulnerability.
Explore how dynamic link libraries load and how attackers hijack dlls by placing malicious files in common search paths, exploiting writable directories and privilege elevation techniques.
Identify and analyze dlls that an application searches or loads using Procmon, filtering for .dll paths to document missing dlls and understand load behavior across system directories.
Demonstrates dll hijacking by using Procmon to locate a missing prof api dll in the release directory, crafting a malicious prof api dll with MSF venom to launch calc.exe.
Demonstrates how offensive thick client penetration testing uses application dll hijacking to gain a meterpreter shell, including payload generation and post-exploitation enumeration.
Explore how thick client apps communicate with servers across two- and three-tier architectures, and analyze network traffic with Wireshark and other packet sniffers to reveal sensitive information.
demonstrates clear text password submission with tcp view and wireshark, reveals credentials in sql batch queries, and highlights TLS encrypted application data during client–server login.
Capture plain text ftp credentials during ftp backup to a server, revealing an admin login and a password observed in Wireshark.
Explore network analysis of three-tier applications by capturing and inspecting HTTP traffic with Wireshark and TCP View, tracing API calls for user management, login, and cart actions.
Thick client applications are often overlooked in mainstream security training, yet they power some of the most critical systems in finance, healthcare, government, and enterprise networks. These applications interact directly with backend servers, often using proprietary protocols, legacy authentication methods, and unprotected local storage—making them a goldmine for attackers who know how to exploit them.
Offensive Thick Client Penetration Testing is designed to bridge that gap.
In this hands-on course, you'll learn how to identify, analyze, and exploit security flaws in thick client applications through a structured offensive approach. You'll intercept and manipulate traffic between the client and the server, reverse engineer binaries, bypass authentication, exploit insecure storage, and inject malicious code to take control of application logic.
We’ll cover key attack vectors like DLL injection, insecure serialization, custom protocol fuzzing, local privilege escalation, and business logic manipulation. You’ll work with real-world tools such as Burp Suite, Wireshark, Ghidra, dnSpy, Procmon, and more.
Whether you're a red teamer, bug bounty hunter, or security researcher, this course will help you master a critical but underexplored area of application security.
If you’re ready to level up and go beyond web and API exploitation, this course is your next step in becoming a complete offensive security expert.