10

Possible Duplicate:
What tools are there to inspect Flash SWF files?

I have decompiled it, verified the source. All seems fine. Appscan also is not able to find anything in this case. But I just want to be sure that I am not missing anything. It would be helpful, if someone can provide some thoughts, hints for penetrating a FLEX application basically cross site scripting as it uses actionscripts too. Any pointers would be appreciated.

Linked questions talks about SWFScan tool but that basically decompiles the static flash file and performs a static code review as per my knowledge.

Community
  • 1
p_upadhyay
  • 1,121
  • 3
  • 14
  • 31
  • Hi @p_upadhyay, I believe that FLEX refers to the "compiler" for Flash apps, correct? If so I think you'll find good information on the linked question. If I'm wrong, please give me a ping and I'll pop it back open. – AviD Jun 22 '11 at 11:16
  • You're pretty wrong AviD, Adobe Flex comes with a server part running on a J2EE server, the client part can be seen as a ricg framework built upon Flash. – Bruno Rohée Jun 22 '11 at 11:43
  • @AviD: Sorry for replying late. I went through the linked question but that is basically related with the Flash. Flex is a framework which uses Flash, actionscripts amd MXXMLs to provide a client server communication whereever Flash is a plain static client component. If I elaborate my question here, I would like to know how one should approach for finding OWASP Top 10 security flaws in a flex environment basically cross site scripting? Linked questions talks about SWFScan tool but that basically decompiles the static flash file and performs a static code review as per my knowledge. – p_upadhyay Jun 24 '11 at 05:04
  • Sorry @p_upadhyay, I reopened the question. Can you add the elaboration from your comments to the question? – AviD Jun 24 '11 at 06:48
  • 1
    Flash/Flex pen testing is kind of a pain point right now, at least for me. I'm sure that most others are in the same boat. I actually plan on getting my hands on appscan pretty soon to try that out. I would say tear to code apart and take a look... – Ormis Jul 20 '11 at 18:55
  • @Ormis: Did the same. Tried with Appscan with the Flash scan option enabled, but I still wanted to do it manually. Looking forward for the available options. Actually got involved in some other projects and thats why was not able to concentrate on this open question. Guys, feel free to close this question as it is open since long. – p_upadhyay Jul 31 '11 at 13:28
  • Maybe you could find a few hints on [OWASP](https://www.owasp.org) website, – noktec Jul 20 '11 at 18:11

3 Answers3

2

Besides the obvious resources:

there are also many important concepts to keep in mind while testing:

  1. AMF must be dealt with
  2. Flash files may be involved, so decompiling, statically analyzing them, and reviewing their code is paramount -- including dependencies and extracted links or references
  3. AMF parameters sometimes map to mid-tier (or backend) XML- or JSON-formatted code with Javascript/Actionscript behavior. You may need a spec or the source code to provide more details on the interaction -- or a complex fuzzing proxy. Consider IAST-led penetration testing with Quotium Seeker, Fortify SecurityScope (especially the auto-generated REST WADL technology), or Contrast Security
atdre
  • 18,885
  • 6
  • 58
  • 107
1

Intercept the http traffic as you would while testing an ordinary web application. Charles proxy http://www.charlesproxy.com/ has the best support for decoding amf traffic.

Serkan Özkan
  • 201
  • 1
  • 2
  • 2
    "Action Message Format (AMF) is a binary format used to serialize ActionScript objects." [Wikipedia](http://en.wikipedia.org/wiki/Action_Message_Format) – this.josh Jul 31 '11 at 03:48
  • Thanks Serkan. Surely will try to play around with Charles Proxy. – p_upadhyay Jul 31 '11 at 13:25
1

You can also use a tool like Burpsuite, similar to CharlesProxy but offers plugin support. There's a neat plugin for AMF testing, called Blazer which offers fuzzing capabilities with customizable attack vectors.

The code for Blazer can be found on GitHub - Code for Blazer.

injector
  • 139
  • 6