--- title: Fat-Client Audit Checklist date: 2021-01-13 categories: [checklists] tags: [fatclient, audit] --- # Fat-Client Audit Checklist ## Cryptography: Authentication & Encryption * [ ] Is the traffic encrypted? * [ ] Insecure Crypto Algorithms? * [ ] Replay attacks possible? * [ ] Forward Secrecy? * [ ] Key Control? (Is one party alone responsible for the final session key?) * [ ] HTTPS: Certificate Pinning? * [ ] Message Authentication (HMAC?) * [ ] Authentication only on the client side? * [ ] Change privileges by impersonating a different user * [ ] Able to change the permissions client side? * [ ] MitM Application (Burp, CANAPE, ...) ## Implementation * [ ] Language: C#, Java, C/C++? * [ ] Native Implementation: Memory Corruptions * [ ] Native Implementation: Unsafe functions (memcpy, strcpy) * [ ] DEP, ASLR enabled? * [ ] Hardcoded Credentials * [ ] Obfuscated code? * [ ] PDB Files with symbols? * [ ] Sensitive Information in the binary? (Developer Paths, ..) * [ ] Elevation of Privileges? * [ ] Authent. Logic on the client or server? * [ ] Debugging the application * [ ] Error Messages with too much information * [ ] Outdated libraries? * [ ] Deserialization Vulnerabilities ## Business Logic * [ ] Proper separation of access rights * [ ] Bypass client-side validations ## Configuration * [ ] Hardcoded Credentials * [ ] Encrypted Configuration Files? * [ ] Other sensitive Information? * [ ] Change application settings (E.g. Developer Mode) ## Useful Tools * Dissassembler: IDA Pro, Cutter, Ghidra, dnSpy, ... * Debugger: r2, x64, ... * Proxy: Burp Suite, CANAPE, Postman (APIs) * Sysinternals: Process Explorer, Process Monitor, strings, ... * API Monitor * Frida (+ Fermion GUI) ## Further Tipps/Hints: * Procmon for president: * Check for network endpoints (disable DNS resolving) * Check loaded configuration files * Check if files are loaded from shares * Check for missing DLLs for DLL Load Order Hijacking (if proc. is elvated) * Introspect socket content with API Monitor and backtrace syscalls to the original DLL/Executable * View all loaded DLLs with Process Explorer (Ctr+D) * If openSSL is used: hook the SSL_write and SSL_read functions to read the plaintext traffic. * DnSpy can export all loaded modules of a (.Net) application as VS project