Comments on: Pentesting Adobe Flex Applications with a Custom AMF Client

By: Marcin

Marcin — Tue, 24 Aug 2010 00:52:00 +0000

Vivek, how is your client/application handling sessions? Does the server respond with a Set-Cookie or append the sessionid to to the gateway url? If so, you need to ensure that you handle these scenarios with your client. Have a look at http://opensource.adobe.com/wiki/display/blazeds/Java+AMF+Client for some examples. You can use the addHttpRequestHeader() method to add a cookie if you are using cookie-based session id’s.

By: Vivek

Vivek — Thu, 12 Aug 2010 23:41:42 +0000

The registerAlias() needs 2 arguemnts and the classes mentioned must be present within a package. Using this my registerAlias() got solved, since the local class I was using was not in a package.

Also, my Java AMF client fails to send any remoting request and receives following message. I’m able to invoke login/logout methods but after login any other request I try to invole fails.

————————————————
Operation: RemotingMessage.changeValue
Destination: valueBean
————————————————
Error: exception occured
ServerStatusException
data: Flex Message (flex.messaging.messages.ErrorMessage)
clientId = 8967EBAE-8F0C-AC84-89F1-16E2F27D647F
correlationId = 89A7F273-FC51F-AC93-1FEA-FD3FDE311D20
destination = valueBean
messageId = 8967EBAF-8FF1D-2D1E-A727-61D596749D35
timestamp = 2181655390463
timeToLive = 0
body = null
code = Client.Authentication
message = Login required before authorization can proceed.
details = null
rootCause = null
body = null
extendedData = null
HttpResponseInfo: HttpResponseInfo
code: 200
message: OK
————————————————

Is there anything which I’m missing ?

Thank you
Vivek

By: Vivek

Vivek — Wed, 21 Jul 2010 22:00:46 +0000

I’m implementing a Java client which sends AMF request to BlazeDS server using AMFConnection library.
In my case, I’m calling a remote API (using RemotingMessage) which needs a custom Server Object in the AMF request body. But I can’t create this object because its class and related libraries are present on Server. I observed a way around to this, in a ActionScript, where developers use below syntax, where they create a local class and link to Server Class.

=================Action Script ==================
[Bindable]
[RemoteClass(alias=" com.ABC.PQR.sampleClass")]

public class SampleClass {
public function SampleClass() {
}

public var var1:String;
public var var2:String;
public var var3:ArrayCollection;
public var var4:Boolean;
public var var5:Boolean;
}

=============================================

Can you please let me know how to send a custom object using Java client creating a AMF request with a custom object as request body, similar to the above example.

I used “regsiterAlias( , )” API, but through proxy tool, I observed that the object inside AMF request body contains NULL information and linked correctly to the Server side class.

Thank you.

By: Marcin

Marcin — Mon, 08 Feb 2010 19:05:03 +0000

Hi Thijs! During testing, I often prefer working with the HTTP request directly, rather than having it abstracted from me like RemotingService does. I felt it was important in this post (from a security testing perspective) for the reader to understand how an AMF envelope and message are constructed.

I also had been running into TypeError’s being thrown when using the RemotingService in some scripts, and didn’t have time to track down the root cause for it. I’ll be sure to submit any details to you if I run into them again.

Thanks for your work on PyAMF!

By: Thijs

Thijs — Fri, 29 Jan 2010 01:54:28 +0000

Interesting post! I’m curious why you didn’t use PyAMF’s RemotingService, and rolled your own using httplib?

By: James Ward

James Ward — Mon, 23 Nov 2009 16:37:41 +0000

Thanks for discovering and reporting this problem with our BlazeDS samples. In the future can you also file a bug?
http://bugs.adobe.com

I’ve created one for this issue:
https://bugs.adobe.com/jira/browse/BLZ-461

It’s important to note that this vulnerability is just in the BlazeDS sample applications not in the BlazeDS product itself.

BTW: It’s much easier to use a Flex app to illustrate these types of vulnerabilities. No mucking with AMF packets, etc. Here is the Flex app I created to test this particular vulnerability:
http://pastebin.com/f6c1e3114

-James (Adobe)

By: Daniel

Daniel — Sun, 22 Nov 2009 13:57:30 +0000

IBM Rational AppScan has the ability to automatically crawl and test Flash applications. In addition, specifically for Flex/AMF applications, it performs the regular battery of application-layer tests (e.g. SQLi, XSS, etc.) on AMF message fields.

By: arshan

arshan — Wed, 11 Nov 2009 15:33:43 +0000

cool post