fatclient-audit.md 2.3 KB
title: Fat-Client Audit Checklist categories: [checklists]
tags: [fatclient, audit]
Fat-Client Audit Checklist
Cryptography: Authentication & Encryption
- Is the traffic encrypted?
- Insecure Crypto Algorithms?
- Replay attacks possible?
- Forward Secrecy?
- Key Control? (Is one party alone responsible for the final session key?)
- HTTPS: Certificate Pinning?
- Message Authentication (HMAC?)
- Authentication only on the client side?
- Change privileges by impersonating a different user
- Able to change the permissions client side?
- MitM Application (Burp, CANAPE, ...)
Implementation
- Language: C#, Java, C/C++?
- Native Implementation: Memory Corruptions
- Native Implementation: Unsafe functions (memcpy, strcpy)
- DEP, ASLR enabled?
- Hardcoded Credentials
- Obfuscated code?
- PDB Files with symbols?
- Sensitive Information in the binary? (Developer Paths, ..)
- Elevation of Privileges?
- Authent. Logic on the client or server?
- Debugging the application
- Error Messages with too much information
- Outdated libraries?
- Deserialization Vulnerabilities
Business Logic
- Proper separation of access rights
- Bypass client-side validations
Configuration
- Hardcoded Credentials
- Encrypted Configuration Files?
- Other sensitive Information?
- Change application settings (E.g. Developer Mode)
Useful Tools
- Dissassembler: IDA Pro, Cutter, Ghidra, dnSpy, ...
- Debugger: r2, x64, ...
- Proxy: Burp Suite, CANAPE, Postman (APIs)
- Sysinternals: Process Explorer, Process Monitor, strings, ...
- API Monitor
- Frida (+ Fermion GUI)
Further Tipps/Hints:
- Procmon for president:
- Check for network endpoints (disable DNS resolving)
- Check loaded configuration files
- Check if files are loaded from shares
- Check for missing DLLs for DLL Load Order Hijacking (if proc. is elvated)
- Introspect socket content with API Monitor and backtrace syscalls to the original DLL/Executable
- View all loaded DLLs with Process Explorer (Ctr+D)
- If openSSL is used: hook the SSL_write and SSL_read functions to read the plaintext traffic.
- DnSpy can export all loaded modules of a (.Net) application as VS project