---
title: Fat-Client Audit Checklist
categories: [checklists]
tags: [fatclient, audit]
---

# Fat-Client Audit Checklist


## Cryptography: Authentication & Encryption

* [ ] Is the traffic encrypted?
* [ ] Insecure Crypto Algorithms?
* [ ] Replay attacks possible?
* [ ] Forward Secrecy?
* [ ] Key Control? (Is one party alone responsible for the final session key?)
* [ ] HTTPS: Certificate Pinning?
* [ ] Message Authentication (HMAC?)
* [ ] Authentication only on the client side?
* [ ] Change privileges by impersonating a different user
* [ ] Able to change the permissions client side?
* [ ] MitM Application (Burp, CANAPE, ...)


## Implementation

* [ ] Language: C#, Java, C/C++?
* [ ] Native Implementation: Memory Corruptions
* [ ] Native Implementation: Unsafe functions (memcpy, strcpy)
* [ ] DEP, ASLR enabled?
* [ ] Hardcoded Credentials
* [ ] Obfuscated code?
* [ ] PDB Files with symbols?
* [ ] Sensitive Information in the binary? (Developer Paths, ..)
* [ ] Elevation of Privileges?
* [ ] Authent. Logic on the client or server?
* [ ] Debugging the application
* [ ] Error Messages with too much information
* [ ] Outdated libraries?
* [ ] Deserialization Vulnerabilities


## Business Logic

* [ ] Proper separation of access rights
* [ ] Bypass client-side validations


## Configuration

* [ ] Hardcoded Credentials
* [ ] Encrypted Configuration Files?
* [ ] Other sensitive Information?
* [ ] Change application settings (E.g. Developer Mode)


## Useful Tools

* Dissassembler: IDA Pro, Cutter, Ghidra, dnSpy, ...
* Debugger: r2, x64, ...
* Proxy: Burp Suite, CANAPE, Postman (APIs)
* Sysinternals: Process Explorer, Process Monitor, strings, ...
* API Monitor
* Frida (+ Fermion GUI)


## Further Tipps/Hints:

* Procmon for president:
    * Check for network endpoints (disable DNS resolving)
    * Check loaded configuration files
    * Check if files are loaded from shares
    * Check for missing DLLs for DLL Load Order Hijacking (if proc. is elvated)
* Introspect socket content with API Monitor and backtrace syscalls to the original DLL/Executable
* View all loaded DLLs with Process Explorer (Ctr+D)
* If openSSL is used: hook the SSL_write and SSL_read functions to read the plaintext traffic.
* DnSpy can export all loaded modules of a (.Net) application as VS project