Thick Client Testing Toolkit Part 1: Introduction

Muhammed Noushad K
By Muhammed Noushad K

February 23, 2016


What are Thick Clients?

Thick Client applications refer to the applications that run on a user’s machine. In these applications, the client handles most of the business logic, which includes the validations, view components and occasionally, temporary data.

The following are a few examples:

  • Google Talk
  • Yahoo Messenger
  • Microsoft outlook

The salient features of Thick Clients are as follows:

  • They perform complex calculations
  • They display richer graphics
  • They possess complex menus and forms

Architecture of Thick Clients

On the basis of architecture, there are two types of Thick Clients:

  • Those developed on two-tier architecture.
  • Those developed on three-tier architecture.

Thick Clients developed on two-tier architecture

These types directly communicate with a database through a database connection driver. Examples of connection drivers are ODBC (Open Database Connection) and JDBC (Java Database Connection).

Thick Clients developed on a two-tier architecture send database queries directly to the database and business logic is executed on the basis of the records/response from the server.

thick client 1_1


Thick Clients developed on three-tier architecture

These types of thick clients have the following three components:

  • Client Application
  • Application Server
  • Database

thick client 1_2

In this architecture, the client application communicates with an application server over an HTTP protocol. The application server, in turn, queries a database to fetch/store data.

How do they differ from web applications?


Web applications

Web applications, also known as Thin Clients, are browser-based applications that run on a web server. These applications are completely independent of the user’s machine and do not require installation. The performance of a web application completely depends on the internet connection.

Thick Clients

Thick Clients are installed on the user’s machine and run locally by utilizing some memory. Most of the data validation is done by the client and not by the server. Additionally, they can store local files and applications, thus reducing dependency on the server. Thick Clients display complex forms and richer graphics compared with Thin Clients. As the majority of logic resides on the client side, faster performance is observed due to a reduced dependency on the server.

Key vulnerabilities associated with Thick Clients

As Thick Clients are not dependent on the browser, browser-related vulnerabilities are not applicable to them.


However the following key vulnerabilities are associated:


  • Injection attacks
  • Variable manipulation
  • Response manipulation
  • Improper error handling
  • Insecure storage
  • Sensitive data disclosure
  • Denial of Service (DoS)
  • Improper access control
  • Improper session management
  • Reverse engineering

How can they be tested?

As Thick Clients differ from web applications, the testing methodology also varies. However, standard test cases for common vulnerabilities like SQL Injection remain the same. Thick Client testing has the following stages:

  • Interception
  • Local storage and memory testing
  • Decompiling and reverse engineering

In the next series of blogs, we will cover tools and techniques to test Thick Client applications.

About the Author

Muhammed Noushad K. is an EC Council-Certified Security Analyst (ECSA) involved in information security for the past five years. He has rich experience in Application Security and Secure Code Reviews. Currently, he is employed as a Security Researcher at Paladion Networks, an information security organization providing security services for corporate organizations in India, Malaysia, the Middle East, and the USA. Paladion’s mission is to harness global technologies to deliver trusted solutions for creating a secure business environment.

Speak to our application security experts

Tags: blog, introduction to thick client, thick clients, thick client testing