fatclient-audit.md 2.3 KB


title: Fat-Client Audit Checklist date: 2021-01-13 categories: [checklists]

tags: [fatclient, audit]

Fat-Client Audit Checklist

Cryptography: Authentication & Encryption

  • Is the traffic encrypted?
  • Insecure Crypto Algorithms?
  • Replay attacks possible?
  • Forward Secrecy?
  • Key Control? (Is one party alone responsible for the final session key?)
  • HTTPS: Certificate Pinning?
  • Message Authentication (HMAC?)
  • Authentication only on the client side?
  • Change privileges by impersonating a different user
  • Able to change the permissions client side?
  • MitM Application (Burp, CANAPE, ...)

Implementation

  • Language: C#, Java, C/C++?
  • Native Implementation: Memory Corruptions
  • Native Implementation: Unsafe functions (memcpy, strcpy)
  • DEP, ASLR enabled?
  • Hardcoded Credentials
  • Obfuscated code?
  • PDB Files with symbols?
  • Sensitive Information in the binary? (Developer Paths, ..)
  • Elevation of Privileges?
  • Authent. Logic on the client or server?
  • Debugging the application
  • Error Messages with too much information
  • Outdated libraries?
  • Deserialization Vulnerabilities

Business Logic

  • Proper separation of access rights
  • Bypass client-side validations

Configuration

  • Hardcoded Credentials
  • Encrypted Configuration Files?
  • Other sensitive Information?
  • Change application settings (E.g. Developer Mode)

Useful Tools

  • Dissassembler: IDA Pro, Cutter, Ghidra, dnSpy, ...
  • Debugger: r2, x64, ...
  • Proxy: Burp Suite, CANAPE, Postman (APIs)
  • Sysinternals: Process Explorer, Process Monitor, strings, ...
  • API Monitor
  • Frida (+ Fermion GUI)

Further Tipps/Hints:

  • Procmon for president:
    • Check for network endpoints (disable DNS resolving)
    • Check loaded configuration files
    • Check if files are loaded from shares
    • Check for missing DLLs for DLL Load Order Hijacking (if proc. is elvated)
  • Introspect socket content with API Monitor and backtrace syscalls to the original DLL/Executable
  • View all loaded DLLs with Process Explorer (Ctr+D)
  • If openSSL is used: hook the SSL_write and SSL_read functions to read the plaintext traffic.
  • DnSpy can export all loaded modules of a (.Net) application as VS project