Penetration testing

Automated Source Code Review for DVTA

September 28, 2016 by

Practical Thick Client Application Penetration Testing using Damn Vulnerable Thick Client App: Automated Source code review


In the previous article, we have discussed some miscellaneous test cases that can be used against Thick Client Applications such as application Logging, Developer Backdoors, Unreliable Timestamps and lack of application signing.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

In this article, we will discuss Automated Source Code Review for DVTA. It is fun when a penetration test begins with a binary and ends with Source Code Review of the same. It is common during penetration tests on .NET assemblies to obtain the code and explore it for vulnerabilities due to the ease of reverse engineering. If you ever wanted to know about freely available automated scanners for .NET source code review, VisualCodeGrepper is something you will like.

Let us discuss how to use VCG and see if it can find anything interesting in Damn Vulnerable Thick Client Application.

First, let us download Visual Code Grepper from the URL below.

Launch VCG, and you should see the following window.

VCG supports multiple languages as shown in the figure below. Select C# as the scan profile by navigating to Settings | C# as shown below.

We now, need to choose the scan the source code using VCG. Let us scan both the decompiled code and the original source taken from Github. Let us begin with decompiled code.

As discussed in one our previous articles, we are going to use DotPeek to decompile the assemblies. Here are the steps.

1. Launch DotPeek and open the assembly you want to decompile. In this case, we chose to have DBAccess.

2. Now, give a right click and click Export to Project. It will show us an option to select the Destination Folder as shown in the figure below.

3. Click Export and, on the right-hand side you should see the following, which shows that the decompiling and exporting is complete.

4. Now, check your destination folder and you should have the decompiled code exported and saved as shown below.

Well, now the decompiled code is ready for scanning. Launch VCG and Navigate to File | New Target Directory

Then, choose the target directory where the decompiled code is located.

Click OK. Next, Navigate to Scan | Full Scan.

This will start scanning the code and provide us the results once the scan completes. This looks as shown in the figure below.

Interesting! VCG reported some vulnerabilities. You can see them that they are self-explanatory.

SQL Injection:


We can also export the results to an XML or CSV file by navigating to File | Export Results as XML and File | Export Results to CSV File respectively.

This is shown below.

Scanning the original source:

As discussed earlier, let us also scan the original source and see if we find any extra issues.

The following figure shows the target directory if the original source code to be scanned.

Follow the same steps as we did with decompiled code and run a scan on this code. This should provide the results.

After exploring the scan results, it is noticed that VCG has identified another extra issue shown below.

As discussed at the beginning of this article, it is always a good idea to perform a quick scan and analyze the results after decompiling the assemblies.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.


In this article, we have discussed source code review of .NET applications. This article has introduced a tool called Visual Code Grepper, which can help us performing automated source code review of both the original source and decompiled code of an application.


SecVulture is an Information Security professional with experience in Web, Thick client and Mobile Application Security, currently working with Infosec Institute as a researcher.