Thick client or fat client or Heavy weight application is a client in client-server architecture. This is completely independent on the server. Most of the process is done by client application. Thick client application is application it needs to install on the client side machine. It interacts with the server for a periodic connection.

Whereas thin client application is a web-based application to interact with that application we need to contact with server directly. Every process will take care by sees rver. Using web browser we can communicate through a thick client applications.

There are two types of thick client applications

  • Two- tier Thick client application
  • Three –tier Thick client application

In Two-tier thick client application client machine is directly interact with the database of the server.

Whereas in Three-tier thick client application client machine interacts with the application server and then it interacts with the database server.

There is another type of applications also there in thick client applications. Those applications are first interact with local database and then it will interact with the server.

Examples for Two-tier applications are VB.NET applications
Examples for Three-tier applications are and

Coming to security perspective, in thick client applications xss and clickjacking are not possible because these are browser based vulnerabilities. And reverse engineering is possible in thick client application.

There are so many tools are there to intercept the traffic for thick client applications. One of most popular tool is Echo mirage.

Echo mirage is very powerful tool compare than other proxy tool because echo mirage intercepts the traffic using dll injection and some function techniques. And major difference is it intercepts traffic through process with in the application. Whereas burpsuite once you intercept it will be go out of the application.

I would like to show the echo mirage tool. Here, I took the yahoo meesanger as a thick client application.

I am intercepting the yahoo messenger traffic.There are two ways to intercept the traffic through echo mirage.

  • By selecting the .exe of the application
  • Select the running process through inject option

First way is selecting .exe file of application.

Second way is injecting the running process.

And then click on Ok. It will show the passwords in plaintext.