ThinVNC is a web remote access client (browser-based, HTML5). It’s an improved version of the standard VNC protocol. It covers all the same scenarios, but with much better performance and without the need to install a PC client or any browser plugin.
For accessing the web VNC client, ThinVNC uses Basic Authentication to authenticate a user. During deployment of the VNC client, credentials to be used are set on the server-side. VNC server runs on no set port, you can run the VNC server on any pre-configured port.
An attacker performs brute force or multiple times wrong password attempts server gives a 401 response. The directory traversal attack vector allows an attacker to read an arbitrary file on the system. An attacker can bypass using
/xyz../../ThinVNC.ini. You can see given proof of concept.