[Owasp-delhi] Thick client security testing

chintan dave davechintan at gmail.com
Tue Aug 17 08:11:38 EDT 2010


Hi Gunwant, it would be great if you could share some tools that you
use for MITM of thick clients (may be some proxies) using TCP as the
communication protocol. I am more interested in understanding about
intercepting thick client communications where in the client does not
provide an option to set the proxy server.

ITR is one of the tools, however it is useful in cases where client
allows to configure proxy.

Please note that I am talking of TCP and not HTTP.

To my knowledge the only way to do so is reverse engineer not sure how
correct I actually am.
Any additional pointers would be much appreciated.

On Tue, Aug 17, 2010 at 5:12 PM, Gunwant Singh <gunwant.s at gmail.com> wrote:
> The malicious user can capture the traffic b/w the thick client and the
> server. He can then replay it with the modified values. If server is
> vulnerable enough, MITM attacks are still possible (although a little
> difficult) in case of thick clients.
>
> On Tue, Aug 17, 2010 at 3:15 PM, <nileshkumar83 at gmail.com> wrote:
>>
>> Rarely the Java clients use HTTP for communication, so MiTM is not
>> possible.
>> Other way is to Decompile them, perform code review, alter code, recompile
>> evil client and send custom attacks. You can use Java decompilers such as
>> jad.
>>
>> On Tue, Aug 17, 2010 at 10:11 AM, <padmasriramiyer at hsbc.co.in> wrote:
>>>
>>> Hi guys,
>>>
>>> Can anyone please guide me how to proceed with security testing of Java
>>> application i.e. a thick client?
>>>
>>>
>>> Best regards,
>>> Padma Sriram Iyer
>>> Senior Security Analyst
>>> GLT Information Security Risk
>>> HSBC Technology and Services - Global Technology
>>> _______________________________________________________________________
>>>
>>> Phone.     91 20 6642 2285
>>> Tieline.     71 91 20 2285
>>> Email.       padmasriramiyer at hsbc.co.in
>>> _______________________________________________________________________
>>>
>>> ************************************************************
>>> HSBC Software Development (India) Pvt Ltd
>>> HSBC Center Riverside,West Avenue ,
>>> 25 B Kalyani Nagar Pune  411 006 INDIA
>>>
>>> Telephone: +91 20 26683000
>>> Fax: +91 20 26681030
>>> ************************************************************
>>> -----------------------------------------
>>> ******************************************************************* This
>>> e-mail is confidential. It may also be legally privileged. If you are not
>>> the addressee you may not copy, forward, disclose or use any part of it. If
>>> you have received this message in error, please delete it and all copies
>>> from your system and notify the sender immediately by return e-mail.
>>> Internet communications cannot be guaranteed to be timely, secure, error or
>>> virus-free. The sender does not accept liability for any errors or
>>> omissions.
>>> ******************************************************************* "SAVE
>>> PAPER - THINK BEFORE YOU PRINT!"
>>> _______________________________________________
>>> Owasp-delhi mailing list
>>> Owasp-delhi at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>>
>>
>>
>>
>> --
>> Thanks & Regards,
>> Nilesh Kumar,
>> Engineer-Security Analyst
>> http://nileshkumar83.blogspot.com
>> http://linkedin.com/in/nileshkumar83
>> Mobile- +91-9019076487
>>                                     Honeywell
>> Honeywell Technology Solutions Lab
>>
>>
>> _______________________________________________
>> Owasp-delhi mailing list
>> Owasp-delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>
>
>
>
> --
> Gunwant Singh
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>



-- 
Regards,
Chintan Dave,

LinkedIn: http://in.linkedin.com/in/chintandave
Blog:http://www.chintandave.com


More information about the Owasp-delhi mailing list