To test a Thick Client application, the first and the most important task is intercepting the requests fired by the application. On the basis of this benchmark and the available features, Thick Client applications are classified as follows:
• Proxy-aware Thick Clients
• Proxy-unaware Thick Clients
Proxy-aware Thick Clients
If a Thick Client application has a built-in feature to set up a proxy server, then it is known as a proxy-aware Thick Client. Testing these types of Thick Clients is easy and straightforward due to the fact that interception of requests is easier. An example of a proxy-aware Thick Client is Google Talk.
To test proxy-aware Thick Clients, tools like Burp Suite and Charles Proxy can be used.
Proxy-unaware Thick Clients
If a Thick Client application does not have any feature to set up a proxy server, it is known as a proxy-unaware Thick Client. Testing these types of applications is a challenge in terms of interception of requests/responses. This is due to the fact that these applications do not provide an option to set up a proxy server.
As mentioned earlier, proxy-unaware Thick Clients are difficult to test because of the hurdles encountered while setting up a proxy. As interception of request/response is essential to test the application, it can be considered as the major hurdle in Thick Client testing. We need to find a suitable technique to overcome this limitation. The following two categories of tools can be used for testing proxy-unaware Thick Clients:
• Tools that interact with the Thick Client Application process.
• Tools that can intercept HTTP requests/response.
Tools that interact with the Thick Client application process
The following is a list of some of the key tools that can be used for testing proxy-unaware Thick Clients:
• Echo Mirage
Echo Mirage is a freeware tool that hooks into the Thick Client application’s process and monitors the network interactions. This tool can start the Thick Client application or it can hook itself into a running process.
The Interface is shown below:
The intercepted requests after hooking into 'Google Talk' process are shown below:
Echo mirage has a limitation wherein it cannot intercept the request made by Java applications.
If Thick Client applications (Java platform) interact with the server over HTTP protocol, then we can use intercepting tools like Burp Suite. However, in some scenarios these applications directly send the requests to the server in the TCP layer. These types of requests cannot be intercepted using HTTP proxies. In these scenarios, the JavaSnoop tool comes in to the picture.
Javasnoop works with the JVM and monitors the Thick Client application. The key difference between Javasnoop and Echo mirage is that Echo mirage monitors the network interactions and Javasnoop monitors the function or method calls made in the Java source code.
Javasnoop works only with Java Thick Clients and Applets. If key methods do not accept the arguments, then this tool might not be helpful.
The user interface is shown below:
The user interface that is configured to intercept the login method call of a Thick Client is shown below:
The login method call intercepted is shown below:
About the Author
Muhammed Noushad K. is an EC Council-Certified Security Analyst (ECSA) associated with information security for the past 5 years. He has rich experience in Application Security and Secure Code Reviews. Currently, he is employed as a Security Researcher at Paladion Networks.