SlideShare a Scribd company logo

AMF Testing Made Easy! DeepSec 2012

Luca Carettoni
Luca Carettoni

The document discusses testing of Action Message Format (AMF) traffic, including a demonstration of the Blazer tool for generating valid AMF objects and fuzzing requests. Blazer uses Java reflection and heuristics to automatically create semantically valid objects for testing remote AMF services. Examples are given for using Blazer to discover unauthenticated methods and SQL injection vulnerabilities. Recent updates to Blazer are highlighted, including improved class and source code handling. The presentation concludes by emphasizing Blazer's ability to improve testing coverage and effectiveness for AMF applications.

Technology
1 of 36
Download to read offline
AMF Testing Made Easy! DeepSec 2012 Luca Carettoni
Agenda AMF specification, BlazeDS, current techniques and tools Blazer architecture, core techniques, heuristics Testing with Blazer Objects generation and fuzzing *DEMO* CVE-2012-3249, Fortify Privileged Information Disclosure Finding vulnerabilities with Blazer Unauthenticated methods *DEMO* SQL Injection *DEMO* What’s new in Blazer v0.3 Conclusion
Thanks! Matasano Security - http://matasano.com/ Part of this research was performed on behalf of Matasano Security Dafydd Stuttard - http://www.portswigger.net/ Burp, such an amazing tool
I am a doer. And you? Luca Carettoni - luca@addepar.com Reinventing the Infrastructure that Powers Global Wealth Management - http://addepar.com
Introduction and context Adobe Flex Framework for building Rich-Internet-Applications Based on Adobe Flash ActionScript ActionScript is an object-oriented programming language Action Message Format (AMF) Introduced with Flash Player 6 Compact binary format to serialize ActionScript objects Fast data transfer, comparing to text-based protocols An efficient mechanism to: Save and retrieve application resources Exchange strongly typed data between client-server
AMF for end-users
AMF for old-school hackers
AMF for web hackers
AMFv0 versus AMFv3 Flash Player 6 Flash Player 9 Object instances can be sent by Object instances, traits and strings can reference be sent by reference Support for ActionScript 1.0 Support for new ActionScript 3.0 data types Support for flash.utils.IExternalizable Variable length encoding scheme for integers
Adobe BlazeDS Server-side Java Remoting/Messaging technology Using Flex Remoting, any Flex client or AIR application can communicate with remote services and inter-exchange data In practice, clients invoke Java methods from classes deployed within a traditional J2EE application server (e.g. Apache Tomcat) A widely deployed implementation Multiple alternatives exist: Java: Adobe LiveCycle Data Service, Granite, ... Others: RubyAMF, FluorineFX, amfPHP, ...
Action Message Format (AMF) AMF request/response types: CommandMessage RemotingMessage .... Client-Server communication through channels: Endpoint - http://<host>/messagebroker/amf Destination Service - echoService Operation - String echo(String input)
State of art (research, tools) Testing Flash Applications, OWASP AppSec 2007 - Stefano di Paola Flex, AMF3 And Blazeds - An Assessment, Blackhat USA 2008 - Jacob Karlson and Kevin Stadmeyer Deblaze, Defcon 17 - Jon Rose Pentesting Adobe Flex Applications, OWASP NY 2010 - Marcin Wielgoszewski Starting from v1.2.124, Burp Suite allows to visualize and tamper AMF traffic Other debugging tools Charles Proxy, WebScarab, Pinta AIR app, ...
Testing remote methods, today Traffic inspection and tampering Using network packet analyzers Using HTTP proxies Enumeration (black-box testing) Retrieving endpoints, destinations and operations from the traffic Decompiling the Flex application Brute-forcing endpoint, destination and operation names
Life is pain, highness. Anyone who tells you differently is selling something W. Goldman
Is this the best we can do? Ideal for black-box testing, limited knowledge required Time consuming Requires to invoke all application functionalities What about custom objects? What about “hidden” services? How to ensure coverage?
Enterprise-grade applications Large attack surface Custom externalizable classes I’ve tested applications with more than 500 remote invokable methods and more than 600 custom Java objects
Life is not #ffffff and #000000
Blazer Custom AMF message generator with fuzzing capabilities Method signatures and Java reflection are used to generate dynamically valid objects
Blazer v0.3 - DeepSec edition GUI-based Burp Suite plugin Well-integrated so you won’t need to leave your favorite tool Burp Free and Pro With Nimbus look’n’feel too GNU GPL software http://code.google.com/p/blazer/ Start Burp with java -classpath Blazer_v0.3.jar:burp.jar burp.StartBurp and launch Blazer from the context menu
Blazer - Architecture A packet generator based on Adobe AMF OpenSource libraries An object generator to build valid application objects using “best-fit” heuristics A lightweight fuzzing infrastructure to generate attack vectors, insert payloads within objects, manage multiple threads and monitor the progress
Blazer as a “custom” AMF client By default, Blazer uses Burp Proxy to record requests and responses Proxy setting option available Using Burp, you can benefit from all built-in tools available (search, sorting, ...)
It’s show time! General usage Objects generation Finding bugs with Blazer: (a) discover exposed methods
CVE-2012-3249 HP Fortify Software Security Center Remote Disclosure of Privileged Information Discovered in June 2012, Patched in August 2012 From the advisory that I sent to HP: “An AMF endpoint used by the HP Fortify SSC web front-end allows to retrieve sensitive system details, including user.dir, java.vm.name, os.name, java.vm.vendor, version, os.version, user.home, java.runtime.name, user.language, user.name, os.arch, java.runtime.version, user.country, java.version, ...” public ListResult getFederations(@PName("spec") SearchSpec spec)
Testing HP Fortify SSC
Blazer - Core techniques Objects generation Java reflection “Best-fit” heuristics Randomness and permutations
Blazer - Data pools Data Pools Containers for “good” user-supplied input Allow to instantiate objects and invoke methods with semantically valid data Available for all primitive types and String Require to be customized for the target Attack vectors Relevant for String objects only Attack vector’s probability allows to unbalance the String data pool with attack vectors
Blazer - Heuristic
Test case: SQL injection
Blazer - “Best-fit” heuristics 1/2 For example, let’s build a HashMap ObjectGenerator tCObj = new ObjectGenerator(task, null); tCObj.generate(“java.util.HashMap”); INT 1 2 3
Blazer - “Best-fit” heuristics 2/2 {null,null} {FOO=BAR,null} STRING FOO BAR ‘;--
It’s show time, again! Finding bugs with Blazer: (b) SQL Injection
Coverage and Scalability With unlimited time, you could get theoretically close to 99.9% coverage In practice, Blazer and target setup are crucial Optimize the number of permutations Balance “good” and “bad” attack vectors Let’s do some math: Application with ~500 exposed operations 45 attack vectors (Burp’s default fuzzing list in Intruder) 35 permutations (average for big apps, experimentally determined) ~500 x 45 x 35 = ~787500 reqs
So, what’s new in Blazer 0.3 ? Import of classes and Java source code Custom Java Security Manager to protect ObjectGenerator.generate() Export functionality (AMF2XML)
Conclusions During real-life assessment, the approach has been proven to increase coverage and effectiveness Blazer was designed to make AMF testing easy, and yet allows researchers to control fully the entire security testing process From 0 to message generation and fuzzing in just few clicks If you find bugs using Blazer, either credits or buy a beer If you find bugs in Blazer and provide a patch, I’ll buy you a beer
AMF 3 Specification, Adobe Systems Inc. References http://download.macromedia.com/pub/labs/amf/amf3_spec_121207.pdf Adobe BlazeDS Developer Guide, Adobe Systems Inc. http://livedocs.adobe.com/blazeds/1/blazeds_devguide/index.html BlazeDS Java AMF Client, Adobe Systems Inc. http://sourceforge.net/adobe/blazeds/wiki/Java%20AMF%20Client/ Testing Flash Applications, Stefano di Paola http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt Adobe Flex, AMF 3 and BlazeDS: An Assessment, Jacob Karlson and Kevin Stadmeyer http://www.blackhat.com/presentations/bh-usa-08/Carlson_Stadmeyer/BlackHat-Flex-Carlson _Stadmeyer_vSubmit1.pdf Deblaze, Jon Rose http://deblaze-tool.appspot.com/ Pentesting Adobe Flex Applications, Marcin Wielgoszewski http://blog.gdssecurity.com/storage/presentations/OWASP_NYNJMetro_Pentesting_Flex.pdf Burp Suite v1.2.14 Release Note, PortSwigger Ltd. http://releases.portswigger.net/2009/08/v1214.html
Pictures http://www.rialitycheck.com/portfolio.cfm http://www.silexlabs.org/amfphp/ http://cloudfront.qualtrics.com/blog/wp-content/uploads/2010/05/thumbs-up-thumbs-down_orange.jpg http://livedocs.adobe.com/blazeds/1/blazeds_devguide/index.html http://1.bp.blogspot.com/_zMthNE3rsTA/TQjjurmc-tI/AAAAAAAAAL8/fmfG0QP6ODo/s1600/Disappointed_by_taleb83.jpg http://www.clker.com/clipart-pointer-finger.html

Recommended

Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)
Christopher Grant
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Advanced Java
Advanced JavaAdvanced Java
Advanced Java
Hossein Mobasher
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web API
Eyal Vardi
 
Asynchronous reading and writing http r equest
Asynchronous reading and writing http r equestAsynchronous reading and writing http r equest
Asynchronous reading and writing http r equest
Pragyanshis Patnaik
 
Brief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vectorBrief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vector
Payampardaz
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
Iftach Ian Amit
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 

Recommended

Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)
Christopher Grant
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Advanced Java
Advanced JavaAdvanced Java
Advanced Java
Hossein Mobasher
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web API
Eyal Vardi
 
Asynchronous reading and writing http r equest
Asynchronous reading and writing http r equestAsynchronous reading and writing http r equest
Asynchronous reading and writing http r equest
Pragyanshis Patnaik
 
Brief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vectorBrief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vector
Payampardaz
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
Iftach Ian Amit
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_awsOn demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
Sumit Arora
 
Rest web service
Rest web serviceRest web service
Rest web service
Hamid Ghorbani
 
Silverlight2 Security
Silverlight2 SecuritySilverlight2 Security
Silverlight2 Security
Reagan Hwang
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
Blueinfy Solutions
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
Fadi Abdulwahab
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
Nadim Kadiwala
 
40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently
postmanclient
 
Application security 101
Application security 101Application security 101
Application security 101
Vlad Garbuz
 
Securing Your Web Server
Securing Your Web ServerSecuring Your Web Server
Securing Your Web Server
manugoel2003
 
Building enterprise web applications with spring 3
Building enterprise web applications with spring 3Building enterprise web applications with spring 3
Building enterprise web applications with spring 3
Abdelmonaim Remani
 
Intro Java Rev010
Intro Java Rev010Intro Java Rev010
Intro Java Rev010
Rich Helton
 
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash AppsOwasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
guestb0af15
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
Piyush Pattanayak
 
Vulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp SuiteVulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp Suite
sportblonde1589
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
An Introduction to Websphere sMash for PHP Programmers
An Introduction to Websphere sMash for PHP ProgrammersAn Introduction to Websphere sMash for PHP Programmers
An Introduction to Websphere sMash for PHP Programmers
jphl
 
Intro to flask2
Intro to flask2Intro to flask2
Intro to flask2
Mohamed Essam
 
Phalcon 2 High Performance APIs - DevWeekPOA 2015
Phalcon 2 High Performance APIs - DevWeekPOA 2015Phalcon 2 High Performance APIs - DevWeekPOA 2015
Phalcon 2 High Performance APIs - DevWeekPOA 2015
Jackson F. de A. Mafra
 
Leveraging BlazeDS, Java, and Flex: Dynamic Data Transfer
Leveraging BlazeDS, Java, and Flex: Dynamic Data TransferLeveraging BlazeDS, Java, and Flex: Dynamic Data Transfer
Leveraging BlazeDS, Java, and Flex: Dynamic Data Transfer
Joseph Labrecque
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
JasonOstrom1
 

More Related Content

What's hot

Building enterprise web applications with spring 3
Building enterprise web applications with spring 3Building enterprise web applications with spring 3
Building enterprise web applications with spring 3
Abdelmonaim Remani
 
Intro Java Rev010
Intro Java Rev010Intro Java Rev010
Intro Java Rev010
Rich Helton
 
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash AppsOwasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
guestb0af15
 
Vulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp SuiteVulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp Suite
sportblonde1589
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 

What's hot (20)

On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_awsOn demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
 
Rest web service
Rest web serviceRest web service
Rest web service
 
Silverlight2 Security
Silverlight2 SecuritySilverlight2 Security
Silverlight2 Security
 
Secure code
Secure codeSecure code
Secure code
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
 
40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently
 
Application security 101
Application security 101Application security 101
Application security 101
 
Securing Your Web Server
Securing Your Web ServerSecuring Your Web Server
Securing Your Web Server
 
Building enterprise web applications with spring 3
Building enterprise web applications with spring 3Building enterprise web applications with spring 3
Building enterprise web applications with spring 3
 
Intro Java Rev010
Intro Java Rev010Intro Java Rev010
Intro Java Rev010
 
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash AppsOwasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
 
Vulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp SuiteVulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp Suite
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
An Introduction to Websphere sMash for PHP Programmers
An Introduction to Websphere sMash for PHP ProgrammersAn Introduction to Websphere sMash for PHP Programmers
An Introduction to Websphere sMash for PHP Programmers
 
Intro to flask2
Intro to flask2Intro to flask2
Intro to flask2
 
Phalcon 2 High Performance APIs - DevWeekPOA 2015
Phalcon 2 High Performance APIs - DevWeekPOA 2015Phalcon 2 High Performance APIs - DevWeekPOA 2015
Phalcon 2 High Performance APIs - DevWeekPOA 2015
 

Similar to AMF Testing Made Easy! DeepSec 2012

Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
eXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework IntroductioneXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework Introduction
vstorm83
 
Googleappengineintro 110410190620-phpapp01
Googleappengineintro 110410190620-phpapp01Googleappengineintro 110410190620-phpapp01
Googleappengineintro 110410190620-phpapp01
Tony Frame
 

Similar to AMF Testing Made Easy! DeepSec 2012 (20)

Leveraging BlazeDS, Java, and Flex: Dynamic Data Transfer
Leveraging BlazeDS, Java, and Flex: Dynamic Data TransferLeveraging BlazeDS, Java, and Flex: Dynamic Data Transfer
Leveraging BlazeDS, Java, and Flex: Dynamic Data Transfer
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
 
Lessons Learnt from Running Thousands of On-demand Spark Applications
Lessons Learnt from Running Thousands of On-demand Spark ApplicationsLessons Learnt from Running Thousands of On-demand Spark Applications
Lessons Learnt from Running Thousands of On-demand Spark Applications
 
Enterprise Library 2.0
Enterprise Library 2.0Enterprise Library 2.0
Enterprise Library 2.0
 
Adobe Flex4
Adobe Flex4 Adobe Flex4
Adobe Flex4
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Adobe Flex Resources 6439
Adobe Flex Resources 6439Adobe Flex Resources 6439
Adobe Flex Resources 6439
 
Adobe Flex Resources
Adobe Flex ResourcesAdobe Flex Resources
Adobe Flex Resources
 
Enterprise Library 3.0 Overview
Enterprise Library 3.0 OverviewEnterprise Library 3.0 Overview
Enterprise Library 3.0 Overview
 
Flex 4.5 jeyasekar
Flex 4.5 jeyasekarFlex 4.5 jeyasekar
Flex 4.5 jeyasekar
 
eXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework IntroductioneXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework Introduction
 
Wipro-Projects
Wipro-ProjectsWipro-Projects
Wipro-Projects
 
Azure deployments and ARM templates
Azure deployments and ARM templatesAzure deployments and ARM templates
Azure deployments and ARM templates
 
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO ExtendedJetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO Extended
 
Googleappengineintro 110410190620-phpapp01
Googleappengineintro 110410190620-phpapp01Googleappengineintro 110410190620-phpapp01
Googleappengineintro 110410190620-phpapp01
 
Python3 (boto3) for aws
Python3 (boto3) for awsPython3 (boto3) for aws
Python3 (boto3) for aws
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewOpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
 
Javascript-heavy Salesforce Applications
Javascript-heavy Salesforce ApplicationsJavascript-heavy Salesforce Applications
Javascript-heavy Salesforce Applications
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Recently uploaded (20)

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

AMF Testing Made Easy! DeepSec 2012

  • 1. AMF Testing Made Easy! DeepSec 2012 Luca Carettoni
  • 2. Agenda AMF specification, BlazeDS, current techniques and tools Blazer architecture, core techniques, heuristics Testing with Blazer Objects generation and fuzzing *DEMO* CVE-2012-3249, Fortify Privileged Information Disclosure Finding vulnerabilities with Blazer Unauthenticated methods *DEMO* SQL Injection *DEMO* What’s new in Blazer v0.3 Conclusion
  • 3. Thanks! Matasano Security - http://matasano.com/ Part of this research was performed on behalf of Matasano Security Dafydd Stuttard - http://www.portswigger.net/ Burp, such an amazing tool
  • 4. I am a doer. And you? Luca Carettoni - luca@addepar.com Reinventing the Infrastructure that Powers Global Wealth Management - http://addepar.com
  • 5. Introduction and context Adobe Flex Framework for building Rich-Internet-Applications Based on Adobe Flash ActionScript ActionScript is an object-oriented programming language Action Message Format (AMF) Introduced with Flash Player 6 Compact binary format to serialize ActionScript objects Fast data transfer, comparing to text-based protocols An efficient mechanism to: Save and retrieve application resources Exchange strongly typed data between client-server
  • 8. AMF for web hackers
  • 9. AMFv0 versus AMFv3 Flash Player 6 Flash Player 9 Object instances can be sent by Object instances, traits and strings can reference be sent by reference Support for ActionScript 1.0 Support for new ActionScript 3.0 data types Support for flash.utils.IExternalizable Variable length encoding scheme for integers
  • 10. Adobe BlazeDS Server-side Java Remoting/Messaging technology Using Flex Remoting, any Flex client or AIR application can communicate with remote services and inter-exchange data In practice, clients invoke Java methods from classes deployed within a traditional J2EE application server (e.g. Apache Tomcat) A widely deployed implementation Multiple alternatives exist: Java: Adobe LiveCycle Data Service, Granite, ... Others: RubyAMF, FluorineFX, amfPHP, ...
  • 11. Action Message Format (AMF) AMF request/response types: CommandMessage RemotingMessage .... Client-Server communication through channels: Endpoint - http://<host>/messagebroker/amf Destination Service - echoService Operation - String echo(String input)
  • 12. State of art (research, tools) Testing Flash Applications, OWASP AppSec 2007 - Stefano di Paola Flex, AMF3 And Blazeds - An Assessment, Blackhat USA 2008 - Jacob Karlson and Kevin Stadmeyer Deblaze, Defcon 17 - Jon Rose Pentesting Adobe Flex Applications, OWASP NY 2010 - Marcin Wielgoszewski Starting from v1.2.124, Burp Suite allows to visualize and tamper AMF traffic Other debugging tools Charles Proxy, WebScarab, Pinta AIR app, ...
  • 13. Testing remote methods, today Traffic inspection and tampering Using network packet analyzers Using HTTP proxies Enumeration (black-box testing) Retrieving endpoints, destinations and operations from the traffic Decompiling the Flex application Brute-forcing endpoint, destination and operation names
  • 14. Life is pain, highness. Anyone who tells you differently is selling something W. Goldman
  • 15. Is this the best we can do? Ideal for black-box testing, limited knowledge required Time consuming Requires to invoke all application functionalities What about custom objects? What about “hidden” services? How to ensure coverage?
  • 16. Enterprise-grade applications Large attack surface Custom externalizable classes I’ve tested applications with more than 500 remote invokable methods and more than 600 custom Java objects
  • 17. Life is not #ffffff and #000000
  • 18. Blazer Custom AMF message generator with fuzzing capabilities Method signatures and Java reflection are used to generate dynamically valid objects
  • 19. Blazer v0.3 - DeepSec edition GUI-based Burp Suite plugin Well-integrated so you won’t need to leave your favorite tool Burp Free and Pro With Nimbus look’n’feel too GNU GPL software http://code.google.com/p/blazer/ Start Burp with java -classpath Blazer_v0.3.jar:burp.jar burp.StartBurp and launch Blazer from the context menu
  • 20. Blazer - Architecture A packet generator based on Adobe AMF OpenSource libraries An object generator to build valid application objects using “best-fit” heuristics A lightweight fuzzing infrastructure to generate attack vectors, insert payloads within objects, manage multiple threads and monitor the progress
  • 21. Blazer as a “custom” AMF client By default, Blazer uses Burp Proxy to record requests and responses Proxy setting option available Using Burp, you can benefit from all built-in tools available (search, sorting, ...)
  • 22. It’s show time! General usage Objects generation Finding bugs with Blazer: (a) discover exposed methods
  • 23. CVE-2012-3249 HP Fortify Software Security Center Remote Disclosure of Privileged Information Discovered in June 2012, Patched in August 2012 From the advisory that I sent to HP: “An AMF endpoint used by the HP Fortify SSC web front-end allows to retrieve sensitive system details, including user.dir, java.vm.name, os.name, java.vm.vendor, version, os.version, user.home, java.runtime.name, user.language, user.name, os.arch, java.runtime.version, user.country, java.version, ...” public ListResult getFederations(@PName("spec") SearchSpec spec)
  • 25. Blazer - Core techniques Objects generation Java reflection “Best-fit” heuristics Randomness and permutations
  • 26. Blazer - Data pools Data Pools Containers for “good” user-supplied input Allow to instantiate objects and invoke methods with semantically valid data Available for all primitive types and String Require to be customized for the target Attack vectors Relevant for String objects only Attack vector’s probability allows to unbalance the String data pool with attack vectors
  • 28. Test case: SQL injection
  • 29. Blazer - “Best-fit” heuristics 1/2 For example, let’s build a HashMap ObjectGenerator tCObj = new ObjectGenerator(task, null); tCObj.generate(“java.util.HashMap”); INT 1 2 3
  • 30. Blazer - “Best-fit” heuristics 2/2 {null,null} {FOO=BAR,null} STRING FOO BAR ‘;--
  • 31. It’s show time, again! Finding bugs with Blazer: (b) SQL Injection
  • 32. Coverage and Scalability With unlimited time, you could get theoretically close to 99.9% coverage In practice, Blazer and target setup are crucial Optimize the number of permutations Balance “good” and “bad” attack vectors Let’s do some math: Application with ~500 exposed operations 45 attack vectors (Burp’s default fuzzing list in Intruder) 35 permutations (average for big apps, experimentally determined) ~500 x 45 x 35 = ~787500 reqs
  • 33. So, what’s new in Blazer 0.3 ? Import of classes and Java source code Custom Java Security Manager to protect ObjectGenerator.generate() Export functionality (AMF2XML)
  • 34. Conclusions During real-life assessment, the approach has been proven to increase coverage and effectiveness Blazer was designed to make AMF testing easy, and yet allows researchers to control fully the entire security testing process From 0 to message generation and fuzzing in just few clicks If you find bugs using Blazer, either credits or buy a beer If you find bugs in Blazer and provide a patch, I’ll buy you a beer
  • 35. AMF 3 Specification, Adobe Systems Inc. References http://download.macromedia.com/pub/labs/amf/amf3_spec_121207.pdf Adobe BlazeDS Developer Guide, Adobe Systems Inc. http://livedocs.adobe.com/blazeds/1/blazeds_devguide/index.html BlazeDS Java AMF Client, Adobe Systems Inc. http://sourceforge.net/adobe/blazeds/wiki/Java%20AMF%20Client/ Testing Flash Applications, Stefano di Paola http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt Adobe Flex, AMF 3 and BlazeDS: An Assessment, Jacob Karlson and Kevin Stadmeyer http://www.blackhat.com/presentations/bh-usa-08/Carlson_Stadmeyer/BlackHat-Flex-Carlson _Stadmeyer_vSubmit1.pdf Deblaze, Jon Rose http://deblaze-tool.appspot.com/ Pentesting Adobe Flex Applications, Marcin Wielgoszewski http://blog.gdssecurity.com/storage/presentations/OWASP_NYNJMetro_Pentesting_Flex.pdf Burp Suite v1.2.14 Release Note, PortSwigger Ltd. http://releases.portswigger.net/2009/08/v1214.html