Sometimes, while developing application older version of framework or older version of dependence software's are used. These older software’s might have open CVE’s and vulnerable to multiple attacks.

Steps to test:

Step 1: Identify the software/framework version by referring to config files or via other information gathering techniques as shown in below figure. If you are testing internal application then request the product team for the tech stack information which includes details of all software’s and their versions used by application.

Step 2: For all the identified framework/software versions, check for open CVE’s in google. If open CVE’s are found then report the issue.

Remediation: Upgrade all the framework/software’s used in the application to latest stable version.

!! Happy Learning !!

--

--

Manual Analysis is very important in thick client security. When the thick client is installed, many sensitive files are stored locally under installation folders.

Check all the configuration files for the sensitive information like FTP passwords, MDB password, License keys, Default passwords, API keys etc.

Example 1: Below screenshot has username and password disclosed in one of the config file.

Example 2: Below screenshot has license information disclosed in one of the .js file, which can be tampered to increase license validity.

--

--

When the thick client application is installed and signed up. the sensitive information like password will be stored in registry.

Use windows operating system “registry editor” tool to view registry entries. by using this tool we can search for keywords like username, passwords etc.. or we can navigate to particular registry path of installed thickclient application and look for sensitive information.

--

--