Thick Client Application Penetration Test (VAPT)

Thick client application VAPT for locally installed risk

Because the real threat is already inside the machine

A thick client vulnerability assessment and penetration test (VAPT) is a security assessment of locally installed desktop applications. It examines the application GUI, file system, registry, memory, and network communication to identify and exploit security vulnerabilities. Unlike a web application penetration test, a thick client VAPT targets client-side binary execution, runtime memory manipulation, and DLL preloading. Swarmnetics delivers this application security service through Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester (CRT) certified consultants.

When client applications become attack paths

Reverse engineering the truth: Where weakness becomes insight

In February 2024, Microsoft disclosed CVE-2024-21413, a critical vulnerability in the Microsoft Outlook desktop client, after in-the-wild exploitation. The flaw was later added to CISA’s Known Exploited Vulnerabilities Catalog. NVD identifies it as a Microsoft Outlook remote code execution vulnerability and records a CVSS score of 9.8. The issue showed how a trusted desktop client could become an attack path on the endpoint, rather than just a front end to backend systems. A thick client application penetration testing engagement would have identified unsafe link handling in the desktop application before exploitation.

Organisations often need to validate application security controls through regular testing. Thick client applications are routinely excluded from security testing programmes because teams assume internal deployment means lower risk. That assumption overlooks what a malicious insider or compromised workstation can access through local files, memory, registry artefacts, and client-side trust decisions that web application testing never touches. That blind spot creates cyber threats that routine security assessments often miss.

Assessing the desktop attack path

Tracing client-to-server flaws to stop real exploits

Our OSCP and CREST-certified consultants test thick client apps on both a black-box basis and a grey-box basis. Black-box testing simulates an attacker on a compromised endpoint with no prior knowledge of the application. Grey-box testing uses architecture documentation and test credentials to increase coverage of authenticated workflows and backend server interactions.

The assessment starts with information gathering on the application architecture, technologies, and entry points. It examines local files, memory, registry artefacts, and configuration weaknesses that affect the desktop runtime. It also reviews network communication to ensure the robustness and integrity of thick client software and its communication protocols. The work follows the CWE/SANS Top 25 Most Dangerous Software Errors and the OWASP Desktop App Security Top 10. Our consultants use manual testing with Burp Suite Professional, dnSpy, DotPeek, Process Hacker, the Sysinternals Suite, Regshot, Wireshark, and PESecurity. This thick client app penetration testing approach helps us reverse engineer .NET assemblies. It also identifies logic flaws from a real-world attack perspective. That allows us to uncover hardcoded credentials, insecure local storage, weak DLL loading behaviour, and client-side business logic that can be bypassed from the endpoint. A thick client app VAPT is designed to uncover weaknesses in desktop applications that routine testing often misses.

Yes, we are CREST accredited

Our core team is based in Singapore and consists of CREST certified penetration testers who are also Offensive Security Certified Professional (OSCP) certified. The team has delivered numerous penetration testing projects for customers in Singapore and other locations, from large multinational enterprises to small and medium business, and across various industries.

Learn more

Inside the thick client attack surface

From findings to fortitude: the real outcome of testing

A thick client VAPT covers the following scope items across the full tier architecture of desktop applications. The list below focuses on local attack surfaces, sensitive data exposure, sensitive information in local artefacts, application server interaction, and paths that can permit unauthorized access.

Application architecture mapping — authentication and authorisation mechanism review
GUI object permissions — hidden object disclosure, disabled functionality activation, and masked password exposure
File and folder permissions — strong naming verification, code signing authentication, and DLL preloading and backdoor insertion
Registry access — read and write permission review, and authentication bypass through registry manipulation
Application memory — process replacement, assembly modification, and debug breakpoint testing to identify dangerous functions
Network traffic — HTTP and HTTPS inspection, firewall rule bypass, and man-in-the-middle susceptibility across client-side and server side communication
Assembly protections — ASLR, SafeSEH, DEP, ControlFlowGuard, and HighEntropyVA verification
Client control bypass — business logic abuse, privilege escalation through GUI control bypass, and authorisation validation

FAQ

A web application penetration test targets browser-rendered interfaces and backend services. A thick client penetration test targets the locally installed application binary. It examines runtime memory, registry behaviour, compiled assemblies, and DLL hijacking paths. Those attack vectors sit on the local endpoint, not only in the browser.

Swarmnetics tests GUI controls, file and folder security, registry access, application memory, network traffic, assembly protection flags, and local workflow abuse. We also assess the compiled binary for decompilation, patching, and reassembly. That work can expose hardcoded credentials and control weaknesses that runtime testing alone may miss.

A black-box approach suits engagements where your priority is what an unauthorised user or malicious insider can reach without credentials. A grey-box approach uses architecture documentation and test accounts. It is better for complex authenticated workflows and multi-tier applications with important integrations.

An attacker with access to a vulnerable thick client application can extract connection strings from memory and recover plaintext credentials from local storage. The same attacker can bypass payment and authorisation controls through GUI manipulation. They can also escalate privileges through DLL hijacking and pivot deeper into connected systems.

A thick client application penetration test from Swarmnetics produces a draft report for your review, followed by a final report upon acceptance. The report includes an executive summary, a detailed technical section with every finding listed by CVSS severity, proof-of-concept evidence demonstrating exploitability, and specific remediation guidance. After you have addressed the findings, we conduct a follow-up retest to confirm adequate remediation.

Any organisation that operates desktop or thick client applications should consider a thick client application penetration test. It is particularly relevant for organisations subject to regulatory, contractual, or industry security requirements, which requires regular penetration testing of thick client systems. A thick client application penetration test is also recommended before launching new thick client systems, after significant changes, and as part of an ongoing security assurance programme. Swarmnetics has conducted thick client application penetration test engagements across all sectors since 2015.

The duration of a thick client application penetration test depends on the scope — the number of application modules, their complexity, and whether a black-box or grey-box approach is used. A typical thick client security assessment takes five to ten business days for the assessment phase, followed by an initial report within five business days for your review.

A thick client application penetration test is often required for compliance with applicable regulatory, contractual, or industry security obligations where organisations must demonstrate that thick client application security controls are effective through regular testing, not just scanning. Swarmnetics recommends conducting a thick client application penetration test at least annually, after significant changes, and before launching new thick client systems into production.

Every thick client application penetration test follows a three-phase process. In the planning phase, Swarmnetics agrees the scope, testing approach, and schedule with your team. In the assessment phase, our OSCP and CREST-certified consultants conduct manual thick client application security testing guided by the CWE/SANS Top 25 Most Dangerous Software Errors and the OWASP Desktop App Security Top 10 to identify and actively exploit vulnerabilities, determining their real-world impact. In the reporting phase, we deliver a draft report for review and a final report with detailed remediation guidance for every finding.

All Swarmnetics penetration tests are conducted by our Singapore-based team of security consultants holding the Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester (CRT) credentials. Swarmnetics has been delivering technical security assessments to organisations across Singapore since 2015 and acts as a trusted VAPT delivery partner to service and solution providers, supporting their customers across multiple sectors.

The security assessment report includes specific, actionable remediation guidance for every finding – not generic advice. For each vulnerability, we describe the fix, its priority based on CVSS severity, and any dependencies between remediation steps. Once your team has addressed the findings, Swarmnetics conducts a follow-up retest to verify that each vulnerability has been adequately remediated. The final report confirms closure and provides documented evidence of remediation.