1. Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org AMF - Flash Remoting Aaron Weaver Philadelphia Chapter Leader Pearson eCollege aaron.weaver2@gmail.com

2. 2 OWASP What is AMF? (Action Message Format)

3. 3 OWASP Action Message Format  Action Message Format or AMF is a binary format based loosely on the Simple Object Access Protocol (SOAP). It is used primarily to exchange data between an Adobe Flash application and a database, using a Remote Procedure Call. ~Wikipedia

4. 4 OWASP Brief History  Introduce with Flash Player 6  First version was AMF 0  Updated to AMF 3 when Flash Player 9 was release

5. 5 OWASP Brief History  Goal to make the protocol available on every server platform  Fast (10 x faster than XML) and small in size

6. 6 OWASP Platforms/Frameworks

7. 7 OWASP

8. 8 AMF Packet  An AMF packet consists of the following parts:  Packet header that contains AMF version information  Context header count  Array of context headers that contain information describing the context in which individual AMF messages should be processed  Message count  Array of messages

9. 9 OWASP Wireshark

10. 10 OWASP Server Side  On the server, Flash Remoting MX deserializes the incoming AMF messages.  Once server-side processing finishes, the results are serialized to AMF and sent back to the Flash application  Body of the individual AMF message contains the error or response object, which is expressed as an ActionScript object

11. 11 OWASP Remoting Insecurity  Methods & Services can be discovered  Failure to restrict access  Authentication  Authorization  Sensitive functions are exposed publicly

12. 12 OWASP Manually analyzing  Decompile SWF  Use swfdump to conver to bytecode, then grep through results for ServerConfig.xml, which is often embedded in the SWF. This will provide the URL's and service names../swfdump -D BankApp.swf 2>/dev/null |grep "service id"

13. 13 OWASP Services XML File in SWF ...

14. 14 OWASP Remote Methods  Next search for the remoting methods in SWF:./swfdump -D BankApp.swf 2>/dev/null |grep "findproperty \[public\]::remObj" 00011) + 0:1 findproperty [public]::remObjLogin 00011) + 0:1 findproperty [public]::remObjTrans 00011) + 0:1 findproperty [public]::remObjBalance

15. 15 OWASP Isn’t there an easier way?

16. 16 OWASP deBlaze  Free tool by Jon Rose (Trustwave)  Python script for analyzing AMF  http://deblaze-tool.appspot.com/ http://deblaze-tool.appspot.com

17. 17 OWASP

18. 18 OWASP Viewing/Editing AMF  Charles Proxy http://charlesproxy.com http://charlesproxy.com  Burp Proxy http://portswigger.net http://portswigger.net  IBM AppScan http://ibm.com/software/rational/offerings/webs ecurity/ http://ibm.com/software/rational/offerings/webs ecurity/  HP WebInspect?

19. 19 OWASP Securing AMF  BlazeDS  Public methods restricted in remoting-config  Use security constraints  Include Methods  Exclude Methods  Blaze Developer Guide

20. 20 OWASP Configuring Security

21. 21 OWASP Securing AMF  PYAMF  Enable authentication on server  AMFPHP  Methods with underscore cannot be remotely called  Remove service browser and discovery service  Beforefilter for authorization controls  Good resource at OWASP  http://www.owasp.org/index.php/Category:OWASP_F lash_Security_Project

22. 22 OWASP Questions?

23. 23 OWASP Next Meeting  Thursday, December 3rd Bruce Diamond (SANS) Chemical Heritage Foundation Conference Center Haas room 315 Chestnut Street Philadelphia

24. 24 OWASP References  Jon Rose - Trustwave