Skip to content
CyberXplore - Xplore the Unseen
Penetration Testing

Thick Client Penetration Testing

Secure the desktop and native applications that run trusted code on every endpoint.

Thick client - AcmeDesktop.exe
Sample · Illustrative
AcmeDesktop.exe· .NET 4.8 · x64 · WPF
unsignedno anti-tampernot obfuscated
Local artifacts
%AppData%\Acme\config.xmlCWE-256
└─ connectionString=...;Password=P@ss (plaintext)
settings.datCWE-321
└─ aesKey=A1B2C3D4... hardcoded · static IV
HKCU\Software\Acme\AuthTokenCWE-312
└─ bearer token cached unencrypted
Intercepted
hooked
POST/api/v1/exec
thick → api.example.com:8443
"role": "admin", "sig": "5f2c...9ab"
sig validrole not server-validated

Server trusts client-side role · CWE-602 - tamper role in the fat client, backend authorizes it.

decompiled·runtime hooked·2 critical
What is Thick Client Pentest?

Thick client penetration testing is a manual security assessment of desktop and native applications - software that runs locally and performs processing on the client rather than relying solely on a server. CyberXplore's senior testers reverse-engineer the binary, inspect how the app stores data on disk and in memory, intercept its network and IPC traffic, and attempt to bypass client-side controls such as licensing, authentication, and input validation. Because thick clients trust the machine they run on, our OSCP- and CRTP-certified specialists focus on the flaws automated scanners miss - insecure local storage, DLL hijacking, hardcoded secrets, and tampering of business logic - then deliver prioritized remediation with free retesting.

OWASP ASVSOWASP Desktop App Security Top 10PTESNIST SP 800-115

Why CyberXplore

  • Senior-only testers (OSCP, CRTP, CREST)
  • ISO 27001 & ISO 9001 certified
  • Free retest + attestation letter
  • Tailored scope and quote in 24 hours

Why it matters

Thick clients run trusted code directly on the user's machine, so any control enforced only on the client - licensing, authentication, or input validation - can be bypassed by an attacker who owns that endpoint.

Desktop apps routinely cache credentials, tokens, and sensitive business data in local files, the registry, or memory, where they are exposed to malware, insider threats, and stolen or shared devices.

Insecure DLL loading, weak installer permissions, and unsigned binaries open the door to DLL hijacking and privilege escalation that can compromise the whole host, not just the application.

Web and API scanners cannot analyze a compiled binary, its on-disk artifacts, or its thick-client-to-server protocol - only hands-on reverse engineering and traffic interception reveal these risks.

Aligned with industry standards: OWASP ASVS · OWASP Desktop App Security Top 10 · PTES · NIST SP 800-115

Our methodology

  1. 01

    Scoping & Architecture Review

    We map the application architecture - two-tier vs. three-tier, the frameworks in use (.NET, Java, C/C++, Electron), local data stores, and every server, API, and IPC channel it talks to.

  2. 02

    Binary & Static Analysis

    We reverse-engineer and decompile the binary to recover logic, hunt for hardcoded secrets and weak cryptography, assess obfuscation and anti-tamper, and review compiler hardening such as ASLR, DEP, and code signing.

  3. 03

    Local Storage & Privilege Analysis

    We inspect files, the Windows registry, configuration, logs, caches, and process memory for sensitive data, then test installer and file/directory ACLs, DLL search-order hijacking, and unquoted service paths for privilege escalation.

  4. 04

    Traffic & IPC Interception

    We intercept and manipulate network traffic - including non-HTTP and proprietary protocols - by proxying, defeating SSL/certificate pinning, and tampering with client-server and inter-process messages to attack the trust boundary.

  5. 05

    Client-Side Control Bypass & Exploitation

    We tamper with the runtime and binary to bypass authentication, authorization, licensing, and input validation, then chain findings to demonstrate concrete impact on the client and the back-end services it reaches.

  6. 06

    Reporting, Remediation & Retest

    We deliver a prioritized report with reproduction steps and evidence, support your developers through the fixes, and re-test every issue to confirm remediation - included free.

What we test

  • Insecure local data storage (files, registry, config, logs, caches)
  • Sensitive data and secrets exposed in process memory
  • Binary reverse engineering, decompilation, and logic recovery
  • Hardcoded credentials, API keys, and weak or improper cryptography
  • DLL hijacking, unquoted service paths, and binary planting
  • Insecure installer, file, and registry permissions (privilege escalation)
  • Network traffic interception, SSL/certificate-pinning bypass, and tampering
  • Inter-process communication (IPC), named pipes, and proprietary protocols
  • Client-side authentication, authorization, and licensing bypass
  • Server-side validation of all client-supplied input and requests

What you get

  • Executive summary for leadership and stakeholders
  • Detailed technical findings with CVSS severity and evidence
  • Step-by-step reproduction for every vulnerability
  • Prioritized, developer-ready remediation guidance
  • Binary hardening and secure-storage recommendations
  • Free retest with a remediation verification letter
  • Attestation letter for customers, auditors, and compliance
Sample deliverable

What you'll see in your report

Every engagement ends with a clear, prioritized report: severity-rated findings with CVSS scores, affected assets, and remediation status - plus a free retest. The figures below are illustrative.

Findings by severity

20 total
Critical
0
High
4
Medium
9
Low
7
High · CVSS 7.8CX-814

DLL hijacking via insecure search path

CWE-427ClientApp.exeFixed
High · CVSS 7.5CX-802

Hardcoded database credentials in binary

CWE-798ClientApp.exeOpen

Illustrative thick client penetration test sample - anonymized to example.com.

Want the full anonymized sample report? We'll include it with your quote.

See a sample report

Ready to scope your engagement?

Tell us what you need tested - get a tailored scope and quote within 24 hours.

Get a Quote
Proof, not promises

Teams that tested with us

0+
Security engagements delivered
0+
Vulnerabilities found & reported
0+
Organizations secured
0+
Years of offensive expertise

Cumulative figures across our team's combined engagement history

Shared under NDA · details anonymized
CyberXplore found critical issues three previous vendors missed. The report was the clearest we've ever received - our engineers fixed everything in a week, and the free retest confirmed every fix held.
23 critical findings surfaced
Head of Security
European SaaS platform · Series C · 450 employees
B2B SaaS
Shared under NDA · details anonymized
Senior testers, fast turnaround, and a free retest that actually proved our fixes worked. They made our SOC 2 audit painless.
SOC 2 passed first attempt
VP of Engineering
Series B FinTech · Payments platform
FinTech

Certifications held by our testers

  • OSCP
  • CRTP
  • CREST
  • CEH
  • eWPTX
  • ISO 27001
  • ISO 9001

Frequently asked questions

A thick (or fat) client is a desktop or native application that performs significant processing locally rather than relying entirely on a server - examples include trading platforms, banking apps, ERP clients, and engineering or healthcare software built on .NET, Java, C/C++, or Electron. Because they run trusted code on the user's machine and store data locally, they need testing techniques that web scanners cannot provide.

Ready to see what attackers see?

Get a tailored scope and quote in 24 hours. No pressure, no jargon - just clarity on your risk.

  • Free retest on every fix
  • Scoped quote within 24 hours
  • Senior-only testers
  • ISO 27001
  • ISO 9001
  • OSCP
  • CRTP
  • CREST
Get a Quote