Penetration testing of desktop applications

Penetration testing of desktop applications

Why focus on the security of native applications

A desktop client is usually the last “mile” of enterprise security. It runs with user privileges (in some cases even administrator), works with sensitive certificates, communicates with the backend, and its compromise enables:

  • escalation of local privileges and obtaining access to domain login credentials,
  • lateral movement within the environment,
  • manipulation of business processes through the user interface,
  • use of a trusted signature when spreading malicious software in the supply chain.


Main objectives of the test

  • Detect vulnerabilities in binary code and configuration – buffer overflow, DLL hijacking, uncontrolled library loading, IPC errors.
  • Examine the update mechanism – package integrity, signature verification, downgrade attacks.
  • Assess the security level of the operating system and EDR – whether it can block injection techniques and post-exploitation tools.
  • Measure the impact on the organization’s resilience – the ability of the SOC to detect and handle an incident, speed of remediation.

Phases of desktop application penetration testing

Testing phase
01
Information gathering
We identify basic information about the application: distribution method, used libraries, and update mechanism.
02
Application analysis
We examine the internal functioning of the application and monitor its behavior after launch. The goal is to understand its structure and logic.
03
Searching for weaknesses
We test various inputs and scenarios in order to identify flaws that could be exploited.
04
Verification of vulnerabilities
We assess whether the identified flaws can realistically be exploited, for example to bypass security restrictions or gain higher privileges.
05
Maintaining access and additional tests
We verify whether it is possible to remain in the system even after a restart and what additional steps an attacker could take (e.g. obtaining access of other users).
06
Simulation of movement within the network
We simulate the attacker’s lateral movement in the internal network after obtaining initial access.
07
Final report and recommendations
The output is a detailed report with both a technical and managerial summary, an assessment of the severity of findings, and a proposal of remediation measures. After their implementation, we repeat the test.


Typical vulnerabilities of desktop clients

  • Unsecured updates – the application downloads updates without encryption or verification of origin. An attacker can therefore deploy a modified installation package with malicious content.
  • Unprotected library loading – the program loads important files from an incorrect or unsafe location, which may allow execution of malicious code.
  • Unsafe installation – the application incorrectly processes configuration files, which may lead to execution of code inserted by an attacker.
  • Weak isolation of application components – in applications built on web technologies (e.g. Electron), individual components are not properly separated, which an attacker can exploit to penetrate the system.
  • Credentials in the code – important login credentials or keys are hardcoded in the application and an attacker can easily find and misuse them.


Regulation and context with DORA

  • According to Article 25 of DORA, penetration testing of desktop applications falls under mandatory basic testing of systems supporting critical or important business functions.
  • Frequency: at least 1× per year for regulated entities or before each deployment of a new major version.
  • The output must include documented vulnerabilities, a remediation plan, and verification of their removal; results from critical applications may be subject to supervisory review.


Requirements for the testing team

Expertise in reverse engineering – Windows internals, PE structure, memory errors.
Certifications – e.g. OSCP, CEH, CRTP or eCPPTv2 confirming practice in exploiting client applications.
Independence – the internal team must be organizationally separated from development; the external team must meet liability insurance and confidentiality criteria.

Benefits for the organization

Reduction of supply chain attack risk

Proactive verification of update mechanisms minimizes the risk of compromise before the vulnerability reaches production.

Stronger endpoint protection

Optimization of EDR configuration increases the ability to detect real attacker techniques, tactics, and procedures (TTPs), not only generic threats.

Higher level of secure coding

The development team gains concrete PoC examples of vulnerabilities and practical remediation patterns that improve code quality in future iterations.

Regulatory certainty and credibility

For banks and insurance companies, this represents clear evidence of applying the “security by design” principle toward supervisory authorities and strengthens the trust of partners and clients.


Why collaborate with BDO?

BDO provides services in accordance with the specific requirements of European regulators (e.g. ECB, EBA, ESMA) and standards such as DORA, NIS2, and ISO/IEC 27001. Our methodology combines static and dynamic application testing, knowledge of regulations, and deep technical know-how – including an approach that reflects specific application risks and sector threats in the European financial environment.



  • Knowledge of the regulatory framework
    We understand the requirements of DORA, NIS 2 and can adapt tests so that the outputs can be used during supervision and audit. We help set up the testing strategy and ensure its alignment with other types of testing (TLPT, penetration tests).
  • Independence and credibility
    As an independent consulting firm we provide objective and trustworthy results. Our work is a signal of quality for regulators and the client’s internal management.


Technical expertise and experience
Our team has deep experience in reverse engineering, binary code analysis and testing client applications in the Windows environment. We use top tools such as IDA, Ghidra, Burp Suite, WinDbg or fuzzers (e.g. AFL++, libFuzzer). Our specialists are certified by organizations OSCP, CRTP, ECPPT, BSCP, CEH, CRT, CPSA, CISSP, CCISO and others. It has experience testing large banks, insurance companies and ICT providers and has experience testing applications for banks, insurance companies and e-government service providers.

CISO CISSP OSCP eCPPT PenTest RedTeam CEH CREST BURPSuite

Main contacts

Martin Hořický
Martin Hořický
Manager • CISO
i View bio
Marek Kovalčík
Partner
i View bio