"Terrible Thick Client" is a vulnerable desktop application developed in C# .NET framework. This is a standalone application that runs on localhost and does not require any database or server setup.

Download link - https://github.com/kartikdurg/Terrible-Thick-Client

The challenges associated with the thick client mainly pertain to the static analysis part. The vulnerabilities present in the app test your understanding of the following categories from the OWASP Top 10 - Desktop applications.

• DA2 - Authentication and Session Management
• DA3 - Sensitive Data Exposure
• DA4 - Improper Cryptography Usage
• DA8 - Poor Code Quality

Table of Contents:

1. Sensitive Data in Memory (Memory Analysis) - DA3
2. Lack of Code Obfuscation - DA8
3. Reverse Engineering (Identifying the Decryption logic) - DA8
4. Authentication Bypass via Code Tampering - DA2

• Adding a MessageBox
• Modifying the Attributes of a TextBox

1. Weak implementation of the licensing system - DA4

2. Sensitive data in Memory (Memory Analysis):

   Using the Process Hacker tool, an attacker can look for strings stored in memory to obtain the password that is used to authenticate into the application.

• Launch the terrible thick client exe file