Comments on: Pentesting Adobe Flex Applications with a Custom AMF Client

By: Marcin

Marcin — Mon, 08 Feb 2010 19:05:03 +0000

Hi Thijs! During testing, I often prefer working with the HTTP request directly, rather than having it abstracted from me like RemotingService does. I felt it was important in this post (from a security testing perspective) for the reader to understand how an AMF envelope and message are constructed.

I also had been running into TypeError’s being thrown when using the RemotingService in some scripts, and didn’t have time to track down the root cause for it. I’ll be sure to submit any details to you if I run into them again.

Thanks for your work on PyAMF!

By: Thijs

Thijs — Fri, 29 Jan 2010 01:54:28 +0000

Interesting post! I’m curious why you didn’t use PyAMF’s RemotingService, and rolled your own using httplib?

By: James Ward

James Ward — Mon, 23 Nov 2009 16:37:41 +0000

Thanks for discovering and reporting this problem with our BlazeDS samples. In the future can you also file a bug?
http://bugs.adobe.com

I’ve created one for this issue:
https://bugs.adobe.com/jira/browse/BLZ-461

It’s important to note that this vulnerability is just in the BlazeDS sample applications not in the BlazeDS product itself.

BTW: It’s much easier to use a Flex app to illustrate these types of vulnerabilities. No mucking with AMF packets, etc. Here is the Flex app I created to test this particular vulnerability:
http://pastebin.com/f6c1e3114

-James (Adobe)

By: Daniel

Daniel — Sun, 22 Nov 2009 13:57:30 +0000

IBM Rational AppScan has the ability to automatically crawl and test Flash applications. In addition, specifically for Flex/AMF applications, it performs the regular battery of application-layer tests (e.g. SQLi, XSS, etc.) on AMF message fields.

By: arshan

arshan — Wed, 11 Nov 2009 15:33:43 +0000

cool post