Penetration Testing

What is Thick Client Penetration Testing?

A Thick Client (a.k.a. Fat Client) is a client–server architecture or network and typically provides rich functionality, independent of the server. In these types of applications, the major processing is done on the client side.

Thick Client Penetration Testing (a.k.a. Thick Client Pentest, Thick Client VAPT, Thick Client Pen Testing) identifies exploitable vulnerabilities on both the local and server-side. The attack surface is larger and requires a different approach from web application penetration testing. Such process often requires specialized tools and custom testing setup.


is a CREST accredited Penetration Testing provider.


Two Common Architectures
For Thick Client

The two common architectures for thick client are two-tier architecture and three-tier architecture.


Two-Tier Architecture

A two-tier architecture is where the application implements a client-to-server communication. The application is installed on the client computer and directly communicate with a database server.

Three-Tier Architecture

A three-tier architecture is where the applications talks to the application server via a communication protocol such as HTTP/HTTPS. This has a slight security advantage over the two-tier architecture because it prevents the end-user from communicating directly with the database server

Objective of this assessment

Identify vulnerabilities which can compromise the system
Gain real-world compliance and technical insights
Develop strong authentication and access controls

Approach & Methodology

The Thick Client Penetration testing methodology is based upon industry standards, including but not limited to OWASP Windows Binary Executable Files Security Checks Project


Information Gathering


Client Side Attacks, Network Side Attacks, Server Side Attacks