Elementrica
03Case Studies04References05Company06News07Contact
PLENDE

DESKTOP APPLICATION PENETRATION TESTING

Desktop application penetration testing: check it does not grant too much

Desktop application testing for Windows, macOS and Linux, run by pentesters certified in OSCP and OSED. Privilege escalation, secret storage, the update mechanism and backend communication.

Windows, macOS and LinuxBinary and update-mechanism analysisPrivilege escalation and secret storageReport with evidence and retest after fixes

WHY IT MATTERS

A thick client has system access a browser does not

A desktop app installs on the user’s workstation and often runs with elevated privileges. A flaw in it can give an attacker control of the whole machine, not just one browser session.

Something we have seen: an app downloaded updates over an unencrypted connection and did not verify the file signature. An attacker on the same network could swap in their own file and get remote code execution on the workstation. The update feature became the way in.

WHAT WE CHECK

From the binary on disk to the server it talks to

01
Privilege escalation
Local elevation, weak ACLs, services and tasks running with excess rights.
02
Secret storage
Passwords, keys and tokens in config files, the registry and memory.
03
DLL and paths
DLL hijacking, unsafe library loading and vulnerable search paths.
04
Update mechanism
Encryption, signing and update verification, a frequent route to remote code execution.
05
Communication and IPC
Named pipes, local sockets and inter-process communication of the app.
06
Backend layer
The APIs and services the app connects to. The real risk often lives there.

We tailor scope to the app’s technology and the system it runs on.

OUR APPROACH

We analyze the binary and watch the app in action

We combine static analysis of binaries and configuration with dynamic observation of the app on a running system. We check not only what the app does, but what can be done to it with access to the workstation.

We work to PTES and NIST SP 800-115, so the result is repeatable and documented. We confirm every vulnerability with a working proof, not just a tool warning.

COMPLIANCE

A test required wherever the app handles sensitive data

Desktop applications in banking, industry and public administration fall under the same testing duties as the rest of the systems.

DORA / NIS2
Software testing as part of ICT risk management.
ISO 27001
Evidence that controls work (A.8) for apps processing data.
Cyber Resilience Act
Security requirements for products with digital elements placed on the EU market.

STANDARDS & CERTIFICATIONS

We work to recognized methodologies, not gut feeling

Every project is run by certified pentesters and based on public standards. That makes the result repeatable, auditable and comparable across vendors.

Team certifications
OSCPOSCPOffSec
OSEPOSEPOffSec
OSWEOSWEOffSec
OSEDOSEDOffSec
OSWAOSWAOffSec
OSWPOSWPOffSec
BSCPBSCPPortSwigger
CPTSCPTSHack The Box
CBBHCBBHHack The Box
CWEECWEEHack The Box
CRTOCRTOZero-Point Security
CREST CRTCREST CRTCREST
CREST CPSACREST CPSACREST
ISO 27001 LAISO 27001 LAISO/IEC
Azure Security EngineerAzure Security EngineerMicrosoft
Security Operations AnalystSecurity Operations AnalystMicrosoft
Security AdministratorSecurity AdministratorMicrosoft
OSCPOSCPOffSec
OSEPOSEPOffSec
OSWEOSWEOffSec
OSEDOSEDOffSec
OSWAOSWAOffSec
OSWPOSWPOffSec
BSCPBSCPPortSwigger
CPTSCPTSHack The Box
CBBHCBBHHack The Box
CWEECWEEHack The Box
CRTOCRTOZero-Point Security
CREST CRTCREST CRTCREST
CREST CPSACREST CPSACREST
ISO 27001 LAISO 27001 LAISO/IEC
Azure Security EngineerAzure Security EngineerMicrosoft
Security Operations AnalystSecurity Operations AnalystMicrosoft
Security AdministratorSecurity AdministratorMicrosoft
Methodologies
PTESNIST SP 800-115MITRE ATT&CK
Verification standards
OWASP ASVS 5.0.0
Areas
Binary analysisPrivilege escalationUpdate mechanism

We share the full list of certifications and standards on request, together with a sample test scope.

HOW WE DO IT

A repeatable process based on PTES

01
Scoping
We define the goal, scope and rules of engagement, so you know what we test and when before we start.
02
Intelligence gathering
We map the attack surface: assets, technologies and entry points.
03
Threat modeling
We define what a real attacker would go after and prioritize the most damaging scenarios.
04
Vulnerability analysis
We hunt for weak points by hand and verify each one to filter out false positives.
05
Exploitation
We confirm vulnerabilities with a working proof, not a theoretical alert list.
06
Post-exploitation
We check the real blast radius: privilege escalation, lateral movement and access to data.
07
Report and retest
You get a report with fix priorities, and after remediation we confirm the gaps are closed.

EVIDENCE

Numbers behind every promise

Every test is run by certified pentesters, and we document the result with reproduction steps, evidence and a verified remediation path. Proof, not a promise.

500+
security tests and audits completed
5.0
average score from 10 verified Clutch reviews
20+
offensive certifications across the team
01
Certified team
20+ offensive certifications across the team (OSCP, OSEP, OSWE, CREST). Tests are run by our people, not anonymous subcontractors.
02
Manual testing
We work by hand to PTES and OWASP, chaining seemingly small flaws into a real, proven attack path.
03
Evidence, not a promise
Every finding comes with reproduction steps and a working proof. A report that holds up in front of an auditor.
04
Retest included
After fixes are deployed we confirm in writing that the gaps are closed. We do not vanish once the PDF is sent.

KNOWLEDGE

Desktop application penetration testing in practice

Why thick-client apps are tested differently

A desktop application installs on the user machine and often connects directly to a database or backend services. An attacker holds the full binary and can analyze it without limits, which is impossible with a web app hidden behind a server.

So we assume the client is in the hands of an adversary. We check what the app stores locally, how it authenticates to the server and how much trust it unknowingly places in code running on the user machine.

What we analyze in a desktop application

We analyze binaries and libraries, data written to files, the registry and memory, and the communication with the server and database. We look for embedded credentials, weak cryptography and configuration that can be swapped in the attacker favor.

We also observe the app in action: we intercept traffic, modify requests and check whether critical logic really runs on the server side. Many desktop apps trust decisions made locally, a classic source of vulnerabilities.

The most common flaw: trusting the client

The most dangerous vulnerabilities come from authorization and validation done on the client. If the app decides what the user is allowed to do, modifying its behavior or a request is enough to bypass the restrictions.

We also check insecure inter-process communication, privilege escalation and how the app updates itself. An update mechanism without signature verification can turn an ordinary app into a delivery channel for malicious code.

What you get in the report and when to test

The report describes every vulnerability with evidence, a CVSS score and reproduction steps, along with a business summary and remediation priorities. We also point out which logic to move to the server to permanently close an entire class of flaws.

A desktop app is worth testing before deployment and after changes to authentication, database integration or the update mechanism. After the fixes we run a retest and confirm the flaws are closed.

FAQ

Common questions

Which systems do you test?

Windows, macOS and Linux. We set scope based on the systems the app is actually used on.

Do you need source code?

It is not required, we also work from the app itself. Access to the code lets us test wider, in gray-box mode.

Do you also test the app server?

Yes. If the app connects to a backend, we include it in scope, because that is a frequent source of real risk.

Is the retest included?

Yes. After fixes ship we re-test the listed flaws and confirm they are gone.

RELATED

Related reading

CASE STUDIES

Case studies in this area

REFERENCES

“The project was delivered professionally and on time, with a strong grasp of both technology and business. We were impressed by their cybersecurity expertise and partnership approach.”
M
Mateusz Widenka
Head of Delivery, Order Group
Clutch★★★★★5.0 · 10 reviewsRead all reviews on Clutch

FIRST STEP

Start with a free consultation

Tell us what you want tested. Within 24 hours you get a proposed scope and next steps. You talk to a consultant who understands the technical side, not a salesperson.

Get in touch
No obligation · we reply within 24 h · your data stays confidential
Methodology
PTES · OWASP
Team
20+ certifications
Rating
5.0 on Clutch
What you get
A scope proposal matched to your risk
A report with evidence and reproduction steps
Remediation priorities by real impact
A retest after fixes are deployed
Asia, ElementricaKacper, ElementricaGrzesiek, Elementrica
A member of our team runs the call, and we reply within 24 hours. No bots, no call center.