Pentesting Adobe Flex Applications with a Custom AMF Client

Leave a Comment June 9, 2010 Matthew Skelton

Adobe Flex at the presentation layer [...] often presents an obstacle for security testers, especially if the application uses ActionScript Message Format (AMF) to send data across the wire. [...] …you should always decompile the SWF using a tool like SWFScan, and grep for RemoteObject and AMFChannel as a relatively good way to identify remoting methods. The DeBlaze tool can also performs remote service and method enumeration, which can help you identify other services and methods that aren’t exposed in the application SWF.

Excellent article on pen-testing of Flex applications by Marcin Wielgoszewski:

http://www.gdssecurity.com/l/b/2009/11/11/pentesting-adobe-flex-applications-with-a-custom-amf-client/

Filed under: Adobe,Tech Tip

Tags: Adobe, Client-Server, testing

TrackBack URL | RSS feed for comments on this post.

Pentesting Adobe Flex Applications with a Custom AMF Client

Leave a Comment

Categories

Blog Archives