Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:



Advertisements
Similar presentations
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
Advertisements

MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.
SOAP & Security IEEE Computer Society Utah Chapter Hilarie Orman - Purple Streak Development Tolga Acar - Novell, Inc. October 24, 2002.
SOAP.
Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Hypertext Transfer Protocol Kyle Roth Mark Hoover.
VCT May 20, 2009 Sapna Blesson Advisor: Dr.Christopher Pollett.
XML Web Services ASP.NET. Overview of Web Services (Page 1) Web Service – Part or all of a Web application that is publicly exposed so that other applications.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Chapter 12 Extending Web Applications. ASP.NET 2.0, Third Edition2.
7-Aug-15 Serialization and XML Pat Palmer What is serialization? “The process of converting an object (or a graph of objects) into a linear sequence.
CS 415 N-Tier Application Development By Umair Ashraf July 6,2013 National University of Computer and Emerging Sciences Lecture # 9 Introduction to Web.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
By Justin Thompson. What is SOAP? Originally stood for Simple Object Access Protocol Created by vendors from Microsoft, Lotus, IBM, and others Protocol.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
ITD 3194 Web Application Development Chapter 4: Web Programming Language.
C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© 2011 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Building an Extension for Flash Professional Justin Putney | Co-founder, Ajar.
Using Web Services in Flash MX 2004 Pro in 60 Minutes or Less.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Python and REST Kevin Hibma. What is REST? Why REST? REST stands for Representational State Transfer. (It is sometimes spelled "ReST".) It relies on a.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Flex 2.0 Flex for ColdFusion developers Part 1. What is Flex Flex allows developers to create Flash content for Rich Internet Applications in a more programmer.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Building on Online Store Using Flash and AMFPHP Part 1 CIS 254.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 10 Intro to SOAP and WSDL. Objectives By study in the chapter, you will be able to: Describe what is SOAP Exam the rules for creating a SOAP document.
Page 1 © 2001, Epicentric - All Rights Reserved Epicentric Modular Web Services Alan Kropp Web Services Architect WSRP Technical Committee – March 18,
Copyright © 2013 Curt Hill SOAP Protocol for exchanging data and Enabling Web Services.
Establishing a foundation for web services Ashraf Memon.
1 Web Services Web and Database Management System.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module: Software Engineering of Web Applications Chapter 2: Technologies 1.
ICM – API Server & Forms Gary Ratcliffe.
Web Services An Introduction Copyright © Curt Hill.
Web Technologies Lecture 10 Web services. From W3C – A software system designed to support interoperable machine-to-machine interaction over a network.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The overview How the open market works. Players and Bodies  The main players are –The component supplier  Document  Binary –The authorized supplier.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Coding With XML Andrew Schwabe
Java Web Services Orca Knowledge Center – Web Service key concepts.
WEB SERVICES From Chapter 19 of Distributed Systems Concepts and Design,4th Edition, By G. Coulouris, J. Dollimore and T. Kindberg Published by Addison.
IMPORTANT INFORMATION ABOUT THE VISUALIZATION EMBEDDED IN THIS SLIDE - IF YOU ARE EXPERIENCING DIFFICULTIES,PLEASE READ ON! This PowerPoint slide includes.
IMPORTANT INFORMATION ABOUT THE VISUALIZATION EMBEDDED IN THIS SLIDE - IF YOU ARE EXPERIENCING DIFFICULTIES,PLEASE READ ON! This PowerPoint slide includes.
IMPORTANT INFORMATION ABOUT THE VISUALIZATION EMBEDDED IN THIS SLIDE - IF YOU ARE EXPERIENCING DIFFICULTIES,PLEASE READ ON! This PowerPoint slide includes.
IMPORTANT INFORMATION ABOUT THE VISUALIZATION EMBEDDED IN THIS SLIDE - IF YOU ARE EXPERIENCING DIFFICULTIES,PLEASE READ ON! This PowerPoint slide includes.
IMPORTANT INFORMATION ABOUT THE VISUALIZATION EMBEDDED IN THIS SLIDE - IF YOU ARE EXPERIENCING DIFFICULTIES,PLEASE READ ON! This PowerPoint slide includes.
Presentation transcript:

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP AMF - Flash Remoting Aaron Weaver Philadelphia Chapter Leader Pearson eCollege

2 OWASP What is AMF? (Action Message Format)

3 OWASP Action Message Format  Action Message Format or AMF is a binary format based loosely on the Simple Object Access Protocol (SOAP). It is used primarily to exchange data between an Adobe Flash application and a database, using a Remote Procedure Call. ~Wikipedia

4 OWASP Brief History  Introduce with Flash Player 6  First version was AMF 0  Updated to AMF 3 when Flash Player 9 was release

5 OWASP Brief History  Goal to make the protocol available on every server platform  Fast (10 x faster than XML) and small in size

6 OWASP Platforms/Frameworks

7 OWASP

8 AMF Packet  An AMF packet consists of the following parts:  Packet header that contains AMF version information  Context header count  Array of context headers that contain information describing the context in which individual AMF messages should be processed  Message count  Array of messages

9 OWASP Wireshark

10 OWASP Server Side  On the server, Flash Remoting MX deserializes the incoming AMF messages.  Once server-side processing finishes, the results are serialized to AMF and sent back to the Flash application  Body of the individual AMF message contains the error or response object, which is expressed as an ActionScript object

11 OWASP Remoting Insecurity  Methods & Services can be discovered  Failure to restrict access  Authentication  Authorization  Sensitive functions are exposed publicly

12 OWASP Manually analyzing  Decompile SWF  Use swfdump to conver to bytecode, then grep through results for ServerConfig.xml, which is often embedded in the SWF. This will provide the URL's and service names../swfdump -D BankApp.swf 2>/dev/null |grep "service id"

13 OWASP Services XML File in SWF ...

14 OWASP Remote Methods  Next search for the remoting methods in SWF:./swfdump -D BankApp.swf 2>/dev/null |grep "findproperty \[public\]::remObj" 00011) + 0:1 findproperty [public]::remObjLogin 00011) + 0:1 findproperty [public]::remObjTrans 00011) + 0:1 findproperty [public]::remObjBalance

15 OWASP Isn’t there an easier way?

16 OWASP deBlaze  Free tool by Jon Rose (Trustwave)  Python script for analyzing AMF 

17 OWASP

18 OWASP Viewing/Editing AMF  Charles Proxy  Burp Proxy  IBM AppScan ecurity/ ecurity/  HP WebInspect?

19 OWASP Securing AMF  BlazeDS  Public methods restricted in remoting-config  Use security constraints  Include Methods  Exclude Methods  Blaze Developer Guide

20 OWASP Configuring Security

21 OWASP Securing AMF  PYAMF  Enable authentication on server  AMFPHP  Methods with underscore cannot be remotely called  Remove service browser and discovery service  Beforefilter for authorization controls  Good resource at OWASP  lash_Security_Project

22 OWASP Questions?

23 OWASP Next Meeting  Thursday, December 3rd Bruce Diamond (SANS) Chemical Heritage Foundation Conference Center Haas room 315 Chestnut Street Philadelphia

24 OWASP References  Jon Rose - Trustwave

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.