Thick-client applications (1/3) – Security Testing Handbook for Banking Applications

3: The Tools of the Trade
Thick-client applications
Interactive TCP Relay
Interactive TCP Relay (ITR) is a proxy editor for thick
clients. It can be used for testing an application which has a
configuration file at the client containing the destination
server IP and Port. The file may be .ini, .config or any
similar extension. The configuration may also be stored as a
registry entry. First ITR is setup to listen on a particular
port. The file or registry entry is then modified to point to
ITR. This will ensure that the data is captured in ITR when
the application is launched. Now we can modify the data
before forwarding the data to the server. This way we have
launched a parameter manipulation attack on the
Figure 22: Interactive TCP Relay
3: The Tools of the Trade
Echo Mirage
Echo Mirage can be run in two different modes – by
launching an application executable from Echo Mirage or
by injecting into process.
In the first mode, the path of application executable is
provided in Echo Mirage as shown in the screen shot
below. Echo Mirage launches the application; data is
captured and can be edited before forwarding to server.
Figure 23: Echo Mirage – execute
In the second mode, Echo Mirage injects into process by
hooking into the socket calls. Echo Mirage lists all the
running processes in the system. Select the thick client
process and inject Echo Mirage into it. This is very useful
for capturing data from Java applets. For capturing data
from a Java applet, inject Echo Mirage into the process
Figure 24: Echo Mirage – inject
3: The Tools of the Trade
Echo Mirage has some options like Configuration, Data
Rewrite Rules and Traffic logs. These help in configuring
settings, writing action scripts for real-time data
replacement and maintaining logs respectively. Echo
Mirage has a feature where we can write action scripts for
replacing the data without manually intercepting and
replacing it each time.
Thick clients applications at times can be very difficult to
test. One of the main reasons for this is that numerous
applications are legacy applications, and not all of them use
HTTP. This makes it tricky to intercept and modify traffic
at run time. In our tests, we’ve sometimes seen ITR hang up
and Echo Mirage refuse to hook into the application
function call. This means that the traffic cannot be
intercepted at the HTTP layer. So we have to go down a
layer lower and use WPE Pro, a TCP-level interceptor.
With WPE Pro you can capture and edit TCP traffic on the
fly, similar to what you do with the other proxies. You need
to however set filters for the characters you want to replace
by writing their hexadecimal equivalents. So if you want to
replace ‘abc’ with ‘def’, you’ll have to set a filter for ‘abc’
in hex and set to replace it with ‘def’, also in hex. The
screenshots below will give you a better picture.
3: The Tools of the Trade
Figure 25: WPE Pro (1)
Figure 26: WPE Pro (2)
3: The Tools of the Trade
Figure 27: WPE Pro (3)
Figure 28: WPE Pro (4)