DESKTOP APPLICATION PENETRATION TESTING
Desktop application penetration testing: check it does not grant too much
Desktop application testing for Windows, macOS and Linux, run by pentesters certified in OSCP and OSED. Privilege escalation, secret storage, the update mechanism and backend communication.
WHY IT MATTERS
A thick client has system access a browser does not
A desktop app installs on the user’s workstation and often runs with elevated privileges. A flaw in it can give an attacker control of the whole machine, not just one browser session.
Something we have seen: an app downloaded updates over an unencrypted connection and did not verify the file signature. An attacker on the same network could swap in their own file and get remote code execution on the workstation. The update feature became the way in.
WHAT WE CHECK
From the binary on disk to the server it talks to
We tailor scope to the app’s technology and the system it runs on.
OUR APPROACH
We analyze the binary and watch the app in action
We combine static analysis of binaries and configuration with dynamic observation of the app on a running system. We check not only what the app does, but what can be done to it with access to the workstation.
We work to PTES and NIST SP 800-115, so the result is repeatable and documented. We confirm every vulnerability with a working proof, not just a tool warning.
COMPLIANCE
A test required wherever the app handles sensitive data
Desktop applications in banking, industry and public administration fall under the same testing duties as the rest of the systems.
STANDARDS & CERTIFICATIONS
We work to recognized methodologies, not gut feeling
Every project is run by certified pentesters and based on public standards. That makes the result repeatable, auditable and comparable across vendors.
We share the full list of certifications and standards on request, together with a sample test scope.
HOW WE DO IT
A repeatable process based on PTES
EVIDENCE
Numbers behind every promise
Every test is run by certified pentesters, and we document the result with reproduction steps, evidence and a verified remediation path. Proof, not a promise.
KNOWLEDGE
Desktop application penetration testing in practice
Why thick-client apps are tested differently
A desktop application installs on the user machine and often connects directly to a database or backend services. An attacker holds the full binary and can analyze it without limits, which is impossible with a web app hidden behind a server.
So we assume the client is in the hands of an adversary. We check what the app stores locally, how it authenticates to the server and how much trust it unknowingly places in code running on the user machine.
What we analyze in a desktop application
We analyze binaries and libraries, data written to files, the registry and memory, and the communication with the server and database. We look for embedded credentials, weak cryptography and configuration that can be swapped in the attacker favor.
We also observe the app in action: we intercept traffic, modify requests and check whether critical logic really runs on the server side. Many desktop apps trust decisions made locally, a classic source of vulnerabilities.
The most common flaw: trusting the client
The most dangerous vulnerabilities come from authorization and validation done on the client. If the app decides what the user is allowed to do, modifying its behavior or a request is enough to bypass the restrictions.
We also check insecure inter-process communication, privilege escalation and how the app updates itself. An update mechanism without signature verification can turn an ordinary app into a delivery channel for malicious code.
What you get in the report and when to test
The report describes every vulnerability with evidence, a CVSS score and reproduction steps, along with a business summary and remediation priorities. We also point out which logic to move to the server to permanently close an entire class of flaws.
A desktop app is worth testing before deployment and after changes to authentication, database integration or the update mechanism. After the fixes we run a retest and confirm the flaws are closed.
FAQ
Common questions
Which systems do you test?
Do you need source code?
Do you also test the app server?
Is the retest included?
RELATED
Related reading
- What does a penetration test cost? What goes into the price and what to watch for
- Penetration testing vs. vulnerability assessment: a clear guide to the difference
- Penetration test scope: the one page that decides whether the test was worth it
- Penetration test scope
- Why CVSS scores often miss the real threat
CASE STUDIES
Case studies in this area
REFERENCES
“The project was delivered professionally and on time, with a strong grasp of both technology and business. We were impressed by their cybersecurity expertise and partnership approach.”
















