Server trusts client-side role · CWE-602 - tamper role in the fat client, backend authorizes it.
decompiled·runtime hooked·2 critical
What is Thick Client Pentest?
Thick client penetration testing is a manual security assessment of desktop and native applications - software that runs locally and performs processing on the client rather than relying solely on a server. CyberXplore's senior testers reverse-engineer the binary, inspect how the app stores data on disk and in memory, intercept its network and IPC traffic, and attempt to bypass client-side controls such as licensing, authentication, and input validation. Because thick clients trust the machine they run on, our OSCP- and CRTP-certified specialists focus on the flaws automated scanners miss - insecure local storage, DLL hijacking, hardcoded secrets, and tampering of business logic - then deliver prioritized remediation with free retesting.
OWASP ASVSOWASP Desktop App Security Top 10PTESNIST SP 800-115
Why CyberXplore
Senior-only testers (OSCP, CRTP, CREST)
ISO 27001 & ISO 9001 certified
Free retest + attestation letter
Tailored scope and quote in 24 hours
Why it matters
Thick clients run trusted code directly on the user's machine, so any control enforced only on the client - licensing, authentication, or input validation - can be bypassed by an attacker who owns that endpoint.
Desktop apps routinely cache credentials, tokens, and sensitive business data in local files, the registry, or memory, where they are exposed to malware, insider threats, and stolen or shared devices.
Insecure DLL loading, weak installer permissions, and unsigned binaries open the door to DLL hijacking and privilege escalation that can compromise the whole host, not just the application.
Web and API scanners cannot analyze a compiled binary, its on-disk artifacts, or its thick-client-to-server protocol - only hands-on reverse engineering and traffic interception reveal these risks.
Aligned with industry standards: OWASP ASVS · OWASP Desktop App Security Top 10 · PTES · NIST SP 800-115
Our methodology
01
Scoping & Architecture Review
We map the application architecture - two-tier vs. three-tier, the frameworks in use (.NET, Java, C/C++, Electron), local data stores, and every server, API, and IPC channel it talks to.
02
Binary & Static Analysis
We reverse-engineer and decompile the binary to recover logic, hunt for hardcoded secrets and weak cryptography, assess obfuscation and anti-tamper, and review compiler hardening such as ASLR, DEP, and code signing.
03
Local Storage & Privilege Analysis
We inspect files, the Windows registry, configuration, logs, caches, and process memory for sensitive data, then test installer and file/directory ACLs, DLL search-order hijacking, and unquoted service paths for privilege escalation.
04
Traffic & IPC Interception
We intercept and manipulate network traffic - including non-HTTP and proprietary protocols - by proxying, defeating SSL/certificate pinning, and tampering with client-server and inter-process messages to attack the trust boundary.
05
Client-Side Control Bypass & Exploitation
We tamper with the runtime and binary to bypass authentication, authorization, licensing, and input validation, then chain findings to demonstrate concrete impact on the client and the back-end services it reaches.
06
Reporting, Remediation & Retest
We deliver a prioritized report with reproduction steps and evidence, support your developers through the fixes, and re-test every issue to confirm remediation - included free.
What we test
Insecure local data storage (files, registry, config, logs, caches)
Sensitive data and secrets exposed in process memory
Binary reverse engineering, decompilation, and logic recovery
Hardcoded credentials, API keys, and weak or improper cryptography
DLL hijacking, unquoted service paths, and binary planting
Insecure installer, file, and registry permissions (privilege escalation)
Network traffic interception, SSL/certificate-pinning bypass, and tampering
Inter-process communication (IPC), named pipes, and proprietary protocols
Client-side authentication, authorization, and licensing bypass
Server-side validation of all client-supplied input and requests
What you get
Executive summary for leadership and stakeholders
Detailed technical findings with CVSS severity and evidence
Step-by-step reproduction for every vulnerability
Prioritized, developer-ready remediation guidance
Binary hardening and secure-storage recommendations
Free retest with a remediation verification letter
Attestation letter for customers, auditors, and compliance
Sample deliverable
What you'll see in your report
Every engagement ends with a clear, prioritized report: severity-rated findings with CVSS scores, affected assets, and remediation status - plus a free retest. The figures below are illustrative.
Findings by severity
20 total
Critical
0
High
4
Medium
9
Low
7
High · CVSS 7.8CX-814
DLL hijacking via insecure search path
CWE-427ClientApp.exeFixed
High · CVSS 7.5CX-802
Hardcoded database credentials in binary
CWE-798ClientApp.exeOpen
Illustrative thick client penetration test sample - anonymized to example.com.
Medium · CVSS 6.5CX-808
Sensitive data cached in insecure local storage
CWE-312%APPDATA%\ClientAppOpen
Want the full anonymized sample report? We'll include it with your quote.
Cumulative figures across our team's combined engagement history
Shared under NDA · details anonymized
“CyberXplore found critical issues three previous vendors missed. The report was the clearest we've ever received - our engineers fixed everything in a week, and the free retest confirmed every fix held.”
23 critical findings surfaced
HS
Head of Security
European SaaS platform · Series C · 450 employees
B2B SaaS
Shared under NDA · details anonymized
“Senior testers, fast turnaround, and a free retest that actually proved our fixes worked. They made our SOC 2 audit painless.”
SOC 2 passed first attempt
VE
VP of Engineering
Series B FinTech · Payments platform
FinTech
Certifications held by our testers
OSCP
CRTP
CREST
CEH
eWPTX
ISO 27001
ISO 9001
Frequently asked questions
A thick (or fat) client is a desktop or native application that performs significant processing locally rather than relying entirely on a server - examples include trading platforms, banking apps, ERP clients, and engineering or healthcare software built on .NET, Java, C/C++, or Electron. Because they run trusted code on the user's machine and store data locally, they need testing techniques that web scanners cannot provide.