What are Thick Clients?
Thick Client applications refer to the applications that run on a user’s machine. In these applications, the client handles most of the business logic, which includes the validations, view components and occasionally, temporary data.
The following are a few examples:
- Google Talk
- Yahoo Messenger
- Microsoft outlook
The salient features of Thick Clients are as follows:
- They perform complex calculations
- They display richer graphics
- They possess complex menus and forms
Architecture of Thick Clients
On the basis of architecture, there are two types of Thick Clients:
- Those developed on two-tier architecture.
- Those developed on three-tier architecture.
Thick Clients developed on two-tier architecture
These types directly communicate with a database through a database connection driver. Examples of connection drivers are ODBC (Open Database Connection) and JDBC (Java Database Connection).
Thick Clients developed on a two-tier architecture send database queries directly to the database and business logic is executed on the basis of the records/response from the server.
Thick Clients developed on three-tier architecture
These types of thick clients have the following three components:
- Client Application
- Application Server
In this architecture, the client application communicates with an application server over an HTTP protocol. The application server, in turn, queries a database to fetch/store data.
How do they differ from web applications?
Web applications, also known as Thin Clients, are browser-based applications that run on a web server. These applications are completely independent of the user’s machine and do not require installation. The performance of a web application completely depends on the internet connection.
Thick Clients are installed on the user’s machine and run locally by utilizing some memory. Most of the data validation is done by the client and not by the server. Additionally, they can store local files and applications, thus reducing dependency on the server. Thick Clients display complex forms and richer graphics compared with Thin Clients. As the majority of logic resides on the client side, faster performance is observed due to a reduced dependency on the server.
Key vulnerabilities associated with Thick Clients
As Thick Clients are not dependent on the browser, browser-related vulnerabilities are not applicable to them.
However the following key vulnerabilities are associated:
- Injection attacks
- Variable manipulation
- Response manipulation
- Improper error handling
- Insecure storage
- Sensitive data disclosure
- Denial of Service (DoS)
- Improper access control
- Improper session management
- Reverse engineering
How can they be tested?
As Thick Clients differ from web applications, the testing methodology also varies. However, standard test cases for common vulnerabilities like SQL Injection remain the same. Thick Client testing has the following stages:
- Local storage and memory testing
- Decompiling and reverse engineering
In the next series of blogs, we will cover tools and techniques to test Thick Client applications.
About the Author
Muhammed Noushad K. is an EC Council-Certified Security Analyst (ECSA) involved in information security for the past five years. He has rich experience in Application Security and Secure Code Reviews. Currently, he is employed as a Security Researcher at Paladion Networks, an information security organization providing security services for corporate organizations in India, Malaysia, the Middle East, and the USA. Paladion’s mission is to harness global technologies to deliver trusted solutions for creating a secure business environment.Speak to our application security experts