search

OWASP TOP 10

hashtag
OWASP Desktop App Top 10 for Thick Clients

hashtag
A01: Insecure Storage

Description: Sensitive data (credentials, keys, tokens) stored unencrypted in files, registry, or memory.

Impact: Local attackers or malware can easily access sensitive info, leading to credential theft or data breaches.

Example:

  • Scenario: A desktop banking app stores API keys in C:\App\config.ini as:

    api_key=12345-abcde

  • Exploit: Use Windows strings.exe or a simple text editor to read config.ini. Extracted API key can be misused to access backend services.

Steps:

  1. Browse the app directory for .ini, .conf, or other config files.

  2. Open files with a text editor or strings.exe.

  3. Extract sensitive data (API keys, passwords).

Remediation:

  • Encrypt data using AES-256:

    using (Aes aes = Aes.Create())
{
    aes.Key = /* your key */;
    aes.IV = /* your IV */;
    // Encrypt data before storage
}

  • Store secrets securely in Windows Credential Manager or DPAPI.

  • Restrict file and registry permissions to authorized users only.

hashtag
A02: Injection

Description: Unsanitized user inputs lead to command, SQL, or other injections.

Impact: Remote code execution, data manipulation, privilege escalation.

Example:

  • Scenario: A desktop app queries an embedded SQLite database with user input:

  • Payload: Enter ' OR '1'='1' -- as username, bypassing login or dumping DB content.

  • Exploit: Use SQLite browser to execute:

Steps:

  1. Enter malicious input in the app’s input fields.

  2. Open the database with a tool like DB Browser for SQLite.

  3. Observe data leaks or unauthorized access.

Remediation:

  • Use parameterized queries:

  • Validate inputs against a whitelist.

hashtag
A03: Broken Authentication

Description: Weak authentication, hardcoded credentials, or client-side checks.

Impact: Unauthorized access, privilege escalation.

Example:

  • Scenario: A .NET desktop app has a hardcoded admin password:

  • Exploit: Decompile the app with DnSpy, locate the password string, and reuse it to gain admin rights.

Steps:

  1. Open target.exe in DnSpy.

  2. Search for the string "Admin123".

  3. Use the password to access admin features.

Remediation:

  • Implement server-side authentication.

  • Store credentials securely, e.g., Windows Credential Manager.

  • Enforce multi-factor authentication.

hashtag
A04: Insecure Communication

Description: Use of outdated or weak encryption protocols, no certificate pinning.

Impact: Man-in-the-middle (MITM) attacks, data interception.

Example:

  • Scenario: The desktop app connects to the backend over TLS 1.0.

  • Exploit: Use testssl.sh:

  • Observation: TLS 1.0 is enabled, susceptible to POODLE attack.

  • Intercept: Use Burp Suite to intercept and decrypt traffic if weak TLS is used.

Steps:

  1. Run testssl.sh to verify enabled protocols.

  2. Configure app to accept or trust self-signed certs (for testing).

  3. Intercept with Burp to view plaintext.

Remediation:

  • Enforce TLS 1.3:

  • Implement certificate pinning:

hashtag
A05: Broken Access Control

Description: Client-side enforcement, missing server-side checks.

Impact: Privilege escalation, unauthorized data access.

Example:

  • Scenario: The app checks user role locally:

  • Exploit: Use Frida or hxd to patch the app memory, forcing role to "admin".

Steps:

  1. Attach Frida:

  1. Modify the role variable in memory.

Remediation:

  • Enforce access controls on server-side.

  • Use least privilege principles.

hashtag
A06: Security Misconfiguration

Description: Debug modes enabled, default passwords, overly permissive permissions.

Impact: Unauthorized access, info disclosure.

Example:

  • Scenario: Debug logs enabled, writing passwords to logs:

  • Exploit: Read logs (app.log) to extract passwords.

Steps:

  1. Run target app.

  2. Open app.log in a text editor.

  3. Search for passwords or sensitive info.

Remediation:

  • Disable debug mode in production.

  • Secure configuration files with proper permissions.

  • Encrypt sensitive configs.

hashtag
A07: Vulnerable and Outdated Components

Description: Use of outdated libraries with known vulnerabilities.

Impact: RCE, privilege escalation.

Example:

  • Scenario: Java app uses Log4j 2.14 (CVE-2021-44228).

  • Exploit: Send a payload:

  • Steps:

  • Update dependencies to patched versions.

Remediation:

  • Regularly update libraries.

  • Use OWASP Dependency Check.

hashtag
A08: Insufficient Logging and Monitoring

Description: No logs for security-related events.

Impact: Delayed detection, undetected breaches.

Example:

  • Scenario: App logs credentials in plaintext.

  • Exploit: Read app.log with:

Steps:

  1. Generate logs by using the app.

  2. Search logs for sensitive info.

Remediation:

  • Avoid logging sensitive data.

  • Use secure logging frameworks.

  • Monitor logs with SIEM.

hashtag
A09: Insecure Deserialization

Description: Deserializing untrusted data leads to code execution.

Impact: RCE, data corruption.

Example:

  • Scenario: The app deserializes data with BinaryFormatter:

  • Exploit: Send malicious serialized payload to execute arbitrary code (like calc.exe).

Steps:

  1. Craft malicious payload with tools like ysoserial.

  2. Send payload via app input or over network.

Remediation:

  • Avoid deserializing untrusted data.

  • Use safe formats like JSON with strict validation.

hashtag
A10: Insufficient Cryptographic Protections

Description: Hardcoded cryptographic keys, weak algorithms.

Impact: Data exposure, compromised confidentiality.

Example:

  • Scenario: Hardcoded AES key:

  • Exploit: Decompile app, extract key, decrypt data.

Steps:

  1. Use DnSpy to decompile.

  2. Search for hardcoded keys or secrets.

  3. Decrypt stored data with the key.

Remediation:

  • Use Windows Data Protection API (DPAPI):

  • Rotate cryptographic keys regularly.

PreviousArchitecture TypesNextInformation Gathering

Last updated