Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deblaze - A Remote Method Enumeration Tool for ...

Deblaze - A Remote Method Enumeration Tool for Flex Servers, Defcon

This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.

Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze came about as a necessity during a few security assessments of flash based websites that made heavy use of flash remoting. I needed something to give me the ability to dig a little deeper into the technology and identify security holes. This tool will allow you to perform method enumeration and interrogation against flash remoting end points.

The latest version can be found at deblaze-tool.appspot.com

Jon Rose

July 30, 2009
Tweet

More Decks by Jon Rose

Other Decks in Technology

Transcript

  1. Who$am$I?$ !  Jon"Rose" "  Working"at"Trustwave’s" SpiderLabs" "  Founder"and"former" Pres"OWASP"Phoenix" Chapter"

    !  Background" "  Network"&"App" Pentesting" "  Architecture"&"Code" Review" "  SDLC"Security" ""
  2. Flash$and$Flex$ !  Flash"Apps:" "  ClientKside"UI" "  SWF"files"(can"be"decompiled)" "  Requires"flash"player" " 

    Built"by"designers"/"UI"ppl" "  Web"ads,"banners,"games" "  Consistent"across"en"browsers" !  Flex:" "  Designed"for"programmers" "  MXML"for"UI"(compiles"into"AS)" "  ActionScript"for"code" "  J2EE"application"server""
  3. !  Flex"1""(March"2004)" "  Flex"Builder"IDE" "  Flex"Data"Services" "  Expensive"license" !  Flex"2"(June"2006)"

    "  SDK"free"download" "  Flex"builder"not"required" "  Eclipse"integration" "  Flex"Data"Services"2" "  ActionScript"3" "  Requires"Flash"Player"9" !  Open"Source"(Dec"2007)" "  Action"Message"Format"" Protocol"(AMF)" "  BlazeDS"$ !  Flex"3"(March"2009)" "  Open"source"SDK" "  Support"for"Adobe"AIR" (desktop"app"runtime)" *Wikipedia"highlights*" Flex$Timeline$
  4. Flex$Data$Services$ !  Data"Management" "  Update"client"and/or"server"when"data"changes" !  Messaging"" "  Real"Time"Messaging"protocol"(RTMP)" " 

    PubKsub"model" "  RealKtime"data""streaming" !  Remoting" "  HTTP,"SOAP,"AMF" "  Automatic""data"marshalling" !  PDF" "  Create"and"edit"PDF’s"
  5. Flash$Remoting$Insecurity$ !  Developers"fail"to"restrict"access"to"methods:" "  Authentication"" "  Authorization" !  Method"&"Service"names"can"be"bruteKforced" ! 

    Flex"servers"can"be"fingerprinted" !  Common"vulns"in"remote"methods:" "  Injections" "  Information"leakage" "  Denial"of"service" "  Privilege"escalation" "
  6. !  Often"embedded"in"the" SWF" !  Provide"URL's"and" service"names" !  Destination"id" represents"services" " 

    securityService" "  exampleService" "  mathService" SWF$Remoting$ServerConfig.xml$
  7. Securing$Flash$Remoting$ !  AMFPHP" "  Methods"that"start"with"an"underscore"cannot"be" remotely"called" "  Remove"the"Service"Browser"and"DiscoveryService" service" " 

    Disable"remote"tracing"and"debugging"headers"by" setting"PRODUCTION_SERVER" "  Use"beforeFilter"for"authorization"controls" !  PYAMF" "  Enable"authentication"on"the"server"
  8. Questions$&$Comments$ !  Next"Steps" !  Future"Research" !  Latest"Code"" "  "deblazeK tool.appspot.com"

    !  Thanks" "  Spiderlabs" "  Nick"Joyce" "  Stads9000" "  GDS"crew" !  Contact"me:" "  [email protected]" "  [email protected]"