amf testing made easy
play

AMF Testing Made Easy! DeepSec 2012 Luca Carettoni - PowerPoint PPT Presentation

Mar 10, 2024 •154 likes •526 views

AMF Testing Made Easy! DeepSec 2012 Luca Carettoni Agenda AMF specification, BlazeDS, current techniques and tools Blazer architecture, core techniques, heuristics Testing with Blazer Objects generation and fuzzing *DEMO*

  1. AMF Testing Made Easy! DeepSec 2012 Luca Carettoni

  2. Agenda AMF specification, BlazeDS, current techniques and tools Blazer architecture, core techniques, heuristics Testing with Blazer Objects generation and fuzzing *DEMO* CVE-2012-3249, Fortify Privileged Information Disclosure Finding vulnerabilities with Blazer Unauthenticated methods *DEMO* SQL Injection *DEMO* What’s new in Blazer v0.3 Conclusion

  3. Thanks! Matasano Security - http://matasano.com/ Part of this research was performed on behalf of Matasano Security Dafydd Stuttard - http://www.portswigger.net/ Burp, such an amazing tool

  4. I am a doer. And you? Luca Carettoni - luca@addepar.com Reinventing the Infrastructure that Powers Global Wealth Management - http://addepar.com

  5. Introduction and context Adobe Flex Framework for building Rich-Internet-Applications Based on Adobe Flash ActionScript ActionScript is an object-oriented programming language Action Message Format (AMF) Introduced with Flash Player 6 Compact binary format to serialize ActionScript objects Fast data transfer, comparing to text-based protocols An e ffi cient mechanism to: Save and retrieve application resources Exchange strongly typed data between client-server

  6. AMF for end-users

  7. AMF for old-school hackers

  8. AMF for web hackers

  9. AMFv0 versus AMFv3 Flash Player 9 Flash Player 6 Object instances, traits and strings can Object instances can be sent by be sent by reference reference Support for new ActionScript 3.0 data Support for ActionScript 1.0 types Support for flash.utils.IExternalizable Variable length encoding scheme for integers

  10. Adobe BlazeDS Server-side Java Remoting/Messaging technology Using Flex Remoting, any Flex client or AIR application can communicate with remote services and inter-exchange data In practice, clients invoke Java methods from classes deployed within a traditional J2EE application server (e.g. Apache Tomcat) A widely deployed implementation Multiple alternatives exist: Java: Adobe LiveCycle Data Service, Granite, ... Others: RubyAMF , FluorineFX, amfPHP , ...

  11. Action Message Format (AMF) AMF request/response types: CommandMessage RemotingMessage .... Client-Server communication through channels: Endpoint - http://<host>/messagebroker/amf Destination Service - echoService Operation - String echo(String input)

  12. State of art (research, tools) Testing Flash Applications, OWASP AppSec 2007 - Stefano di Paola Flex, AMF3 And Blazeds - An Assessment, Blackhat USA 2008 - Jacob Karlson and Kevin Stadmeyer Deblaze, Defcon 17 - Jon Rose Pentesting Adobe Flex Applications, OWASP NY 2010 - Marcin Wielgoszewski Starting from v1.2.124, Burp Suite allows to visualize and tamper AMF tra ffi c Other debugging tools Charles Proxy, WebScarab, Pinta AIR app, ...

  13. Testing remote methods, today Tra ffi c inspection and tampering Using network packet analyzers Using HTTP proxies Enumeration (black-box testing) Retrieving endpoints, destinations and operations from the tra ffi c Decompiling the Flex application Brute-forcing endpoint, destination and operation names

  14. Life is pain, highness. Anyone who tells you differently is selling something W. Goldman

  15. Is this the best we can do? Ideal for black-box testing, limited knowledge required Time consuming Requires to invoke all application functionalities What about custom objects? What about “hidden” services? How to ensure coverage?

  16. Enterprise-grade applications Large attack surface Custom externalizable classes I’ve tested applications with more than 500 remote invokable methods and more than 600 custom Java objects

  17. Life is not #ffffff and #000000

  18. Blazer Custom AMF message generator with fuzzing capabilities Method signatures and Java reflection are used to generate dynamically valid objects

  19. Blazer v0.3 - DeepSec edition GUI-based Burp Suite plugin Well-integrated so you won’t need to leave your favorite tool Burp Free and Pro With Nimbus look’n’feel too GNU GPL software http://code.google.com/p/blazer/ Start Burp with java -classpath Blazer_v0.3.jar:burp.jar burp.StartBurp and launch Blazer from the context menu

  20. Blazer - Architecture A packet generator based on Adobe AMF OpenSource libraries An object generator to build valid application objects using “best-fit” heuristics A lightweight fuzzing infrastructure to generate attack vectors, insert payloads within objects, manage multiple threads and monitor the progress

  21. Blazer as a “custom” AMF client By default, Blazer uses Burp Proxy to record requests and responses Proxy setting option available Using Burp, you can benefit from all built-in tools available (search, sorting, ...)

  22. It’s show time! General usage Objects generation Finding bugs with Blazer: (a) discover exposed methods

  23. CVE-2012-3249 HP Fortify Software Security Center Remote Disclosure of Privileged Information Discovered in June 2012, Patched in August 2012 From the advisory that I sent to HP: “An AMF endpoint used by the HP Fortify SSC web front-end allows to retrieve sensitive system details, including user.dir, java.vm.name, os.name, java.vm.vendor, version, os.version, user.home, java.runtime.name, user.language, user.name, os.arch, java.runtime.version, user.country, java.version, ...” public ListResult getFederations(@PName("spec") SearchSpec spec)

  24. Testing HP Fortify SSC

  25. Blazer - Core techniques Objects generation Java reflection “Best-fit” heuristics Randomness and permutations

  26. Blazer - Data pools Data Pools Containers for “good” user-supplied input Allow to instantiate objects and invoke methods with semantically valid data Available for all primitive types and String Require to be customized for the target Attack vectors Relevant for String objects only Attack vector’s probability allows to unbalance the String data pool with attack vectors

  27. Blazer - Heuristic

  28. Test case: SQL injection

  29. Blazer - “Best-fit” heuristics 1/2 For example, let’s build a HashMap ObjectGenerator tCObj = new ObjectGenerator(task, null); tCObj.generate(“java.util.HashMap”); INT 1 2 3

  30. Blazer - “Best-fit” heuristics 2/2 {null,null} {FOO=BAR,null} STRING BAR ‘;-- FOO

  31. It’s show time, again! Finding bugs with Blazer: (b) SQL Injection

  32. Coverage and Scalability With unlimited time, you could get theoretically close to 99.9% coverage In practice, Blazer and target setup are crucial Optimize the number of permutations Balance “good” and “bad” attack vectors Let’s do some math: Application with ~500 exposed operations 45 attack vectors (Burp’s default fuzzing list in Intruder) 35 permutations (average for big apps, experimentally determined) ~500 x 45 x 35 = ~787500 reqs

  33. So, what’s new in Blazer 0.3 ? Import of classes and Java source code Custom Java Security Manager to protect ObjectGenerator.generate() Export functionality ( AMF2XML )

  34. Conclusions During real-life assessment, the approach has been proven to increase coverage and e ff ectiveness Blazer was designed to make AMF testing easy, and yet allows researchers to control fully the entire security testing process From 0 to message generation and fuzzing in just few clicks If you find bugs using Blazer, either credits or buy a beer If you find bugs in Blazer and provide a patch, I’ll buy you a beer

  35. References AMF 3 Specification, Adobe Systems Inc. http://download.macromedia.com/pub/labs/amf/amf3_spec_121207.pdf Adobe BlazeDS Developer Guide, Adobe Systems Inc. http://livedocs.adobe.com/blazeds/1/blazeds_devguide/index.html BlazeDS Java AMF Client, Adobe Systems Inc. http://sourceforge.net/adobe/blazeds/wiki/Java%20AMF%20Client/ Testing Flash Applications, Stefano di Paola http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt Adobe Flex, AMF 3 and BlazeDS: An Assessment, Jacob Karlson and Kevin Stadmeyer http://www.blackhat.com/presentations/bh-usa-08/Carlson_Stadmeyer/BlackHat-Flex-Carlson _Stadmeyer_vSubmit1.pdf Deblaze, Jon Rose http://deblaze-tool.appspot.com/ Pentesting Adobe Flex Applications, Marcin Wielgoszewski http://blog.gdssecurity.com/storage/presentations/OWASP_NYNJMetro_Pentesting_Flex.pdf Burp Suite v1.2.14 Release Note, PortSwigger Ltd. http://releases.portswigger.net/2009/08/v1214.html

  36. Pictures http://www.rialitycheck.com/portfolio.cfm http://www.silexlabs.org/amfphp/ http://cloudfront.qualtrics.com/blog/wp-content/uploads/2010/05/thumbs-up-thumbs-down_orange.jpg http://livedocs.adobe.com/blazeds/1/blazeds_devguide/index.html http://1.bp.blogspot.com/_zMthNE3rsTA/TQjjurmc-tI/AAAAAAAAAL8/fmfG0QP6ODo/s1600/Disappointed_by_taleb83.jpg http://www.clker.com/clipart-pointer-finger.html

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cutting Edge Genetics Made Easy Karyotype Molecular testing with FISH Chromosomal

Cutting Edge Genetics Made Easy Karyotype Molecular testing with FISH Chromosomal

10/19/2017 The evolution of prenatal genetic testing Cutting Edge Genetics Made Easy Karyotype Molecular testing with FISH Chromosomal microarray Teresa Sparks, MD Cell free DNA screening Department of Obstetrics, Gynecology,

320 views • 13 slides
Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy Welcome! Welcome! Housekeeping Webinar polling Recording will be a ailable available http://www.healthyutah.org/ programs/seminars.php

387 views • 19 slides
Piece of cake testing remote embedded devices made easy with MuxPi . Pawe Wieczorek February

Piece of cake testing remote embedded devices made easy with MuxPi . Pawe Wieczorek February

Piece of cake testing remote embedded devices made easy with MuxPi . Pawe Wieczorek February 3, 2018 Samsung R&amp;D Institute Poland Agenda . 1. Introduction 2. Previous efforts 3. Idea 4. Hardware 5. Software 6. Next steps 7.

1.1k views • 79 slides
Appium Studio Appium testing made easy at any scale 1 Appium Studio by Experitest Easily start

Appium Studio Appium testing made easy at any scale 1 Appium Studio by Experitest Easily start

Appium Studio Appium testing made easy at any scale 1 Appium Studio by Experitest Easily start with Appium testing, and scale according to need Easily write stable Appium tests, or run your existing Appium scripts Set up within minutes,

386 views • 14 slides
Avocado: Open Source Testing Made Easy LinuxCon North America, 2015 August, 17th, 2015 Lucas

Avocado: Open Source Testing Made Easy LinuxCon North America, 2015 August, 17th, 2015 Lucas

Avocado: Open Source Testing Made Easy LinuxCon North America, 2015 August, 17th, 2015 Lucas Meneghel Rodrigues &lt;lmr@redhat.com&gt; Senior Software Engineer Agenda What is Avocado? Architecture Features Demo Roadmap

698 views • 17 slides
WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens

WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens

WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens Reduced water use Same footprint as our WD 290 Compatible with WD 290 racks and carts Compatible with WA 290 and SISO

303 views • 17 slides
OO Integration Testing Chapter 18 What assumption is made for integration testing? IOO2

OO Integration Testing Chapter 18 What assumption is made for integration testing? IOO2

OO Integration Testing Chapter 18 What assumption is made for integration testing? IOO2 What assumption is made for integration testing? Assume unit level testing is complete IOO3 What choices are there for unit testing?

1.32k views • 114 slides
The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase

The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase

The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase ROI 3 - Provide DATA and Reports Statistics Analysis Statistics Made Easy Statistics Made Easy Statistics Made Easy Statistics Made Easy

335 views • 18 slides
Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2

Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2

Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2 19/01/2012 Q2 ION Metals Analysis Made Easy System overview Properties &amp; Features Technology Ultra-compact design, patented

785 views • 19 slides
AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain

AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain

AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain valuable industry insight Robert Morris Chief Communications Officer Georgia Ports Authority BRIDGING THE GAP Slido is an easy-to-use Q&amp;A and

293 views • 4 slides
Easy-to-Use Easy-to-Install Easy on the Budget orecx.com Easy-to-Use

Easy-to-Use Easy-to-Install Easy on the Budget orecx.com Easy-to-Use

Easy-to-Use Easy-to-Install Easy on the Budget orecx.com Easy-to-Use Easy-to-Install Easy on the Budget OrecX Call Recording The issue is simple: You want to comply with regulatory requirements and improve customer service by

204 views • 9 slides
Outdoors NV Made Easy First question Why? Customer Service Deliver value

Outdoors NV Made Easy First question Why? Customer Service Deliver value

Outdoors NV Made Easy First question Why? Customer Service Deliver value Ease confusion Reduce mistakes Make it easier for our customers to engage What about the money? Revenue neutral Difficult to model

532 views • 22 slides
FIRST AID KIT MADE EASY with things You Already Have In The Kitchen OATMEAL Amazing for your

FIRST AID KIT MADE EASY with things You Already Have In The Kitchen OATMEAL Amazing for your

FIRST AID KIT MADE EASY with things You Already Have In The Kitchen OATMEAL Amazing for your skin! Relieves rashes, simple sun burn and eczema HONEY Honey, did I tell you I Love You! TEA BAGS They spell relief or make tea CLING

355 views • 32 slides
IoT solution made easy with NFC Session 1 : NFC commissioning solution with the NTAG I 2 C plus kit

IoT solution made easy with NFC Session 1 : NFC commissioning solution with the NTAG I 2 C plus kit

IoT solution made easy with NFC Session 1 : NFC commissioning solution with the NTAG I 2 C plus kit for Arduino pinout JORDI JOFRE NFC READERS NFC EVERYWHERE 11/07/2017 PUBLIC IoT and smart home adoption today 1 The Internet of Things in

590 views • 29 slides
Static Analysis of Dynamically Typed Languages made Easy Yin

Static Analysis of Dynamically Typed Languages made Easy Yin

Static Analysis of Dynamically Typed Languages made Easy Yin Wang School of Informatics and Computing Indiana University Overview Work done as two internships at

797 views • 65 slides
LTE Radio Analy.cs Made Easy and Accessible Swarun Kumar

LTE Radio Analy.cs Made Easy and Accessible Swarun Kumar

LTE Radio Analy.cs Made Easy and Accessible Swarun Kumar Ezzeldin Hamed, Dina Katabi and Li Erran Li LTE A Big Part of Our Lives LTE

863 views • 70 slides
Secure Coding in C/C++ Dr. Kamil Sarac 2012 REU (Research Experiences for Undergraduates)

Secure Coding in C/C++ Dr. Kamil Sarac 2012 REU (Research Experiences for Undergraduates)

Secure Coding in C/C++ Dr. Kamil Sarac 2012 REU (Research Experiences for Undergraduates) Department of Computer Science University of Texas at Dallas Slides prepared by Mitch Adair and Kamil Sarac at UT Dallas Outline Objective What

380 views • 35 slides
W INDOWS :: B YPASSING KERNEL /GS There are two ways published in the literature to bypass the

W INDOWS :: B YPASSING KERNEL /GS There are two ways published in the literature to bypass the

P ROTECTING THE C ORE K ERNEL E XPLOITATION M ITIGATIONS Patroklos Argyroudis, Dimitris Glynos { argp, dimitris } at census-labs.com Census, Inc. Black Hat EU 2011 P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011

970 views • 69 slides
Research project Socioprofessional Dynamics The work presented in this seminar is part of the FNS

Research project Socioprofessional Dynamics The work presented in this seminar is part of the FNS

Introduction From structure to dynamics Synthetic analysis Conclusion References Introduction From structure to dynamics Synthetic analysis Conclusion References Research project Socioprofessional Dynamics The work presented in this

283 views • 7 slides
Survival of the Weakest: Why the West Rules with Salvatore Modica 1 Introduction Why did the

Survival of the Weakest: Why the West Rules with Salvatore Modica 1 Introduction Why did the

Survival of the Weakest: Why the West Rules with Salvatore Modica 1 Introduction Why did the industrial revolution take place in the West and not, say, China? As many theories as there are authors The consensus if there is one

498 views • 21 slides
Introduction and lists Jason Myers Instructor DataCamp Data Types for Data Science Data types

Introduction and lists Jason Myers Instructor DataCamp Data Types for Data Science Data types

DataCamp Data Types for Data Science DATA TYPES FOR DATA SCIENCE Introduction and lists Jason Myers Instructor DataCamp Data Types for Data Science Data types Data type system sets the stage for the capabilities of the language

270 views • 23 slides
Functional Programming Pete Graham @petexgraham My Functional Programming Timeline Learned

Functional Programming Pete Graham @petexgraham My Functional Programming Timeline Learned

Functional Programming Pete Graham @petexgraham My Functional Programming Timeline Learned Haskell at University. Forgot it. Something strange happened... Functional Programming Renaissance 1. What is it? 2. Why learn Functional

559 views • 17 slides
and Unique Fundraising Experiences Featured Presenters Gene Caffrey, Greater Carolinas

and Unique Fundraising Experiences Featured Presenters Gene Caffrey, Greater Carolinas

Fueling the Movement Unforgettable and Unique Fundraising Experiences Featured Presenters Gene Caffrey, Greater Carolinas Chapter Jeff Zaniker, Indiana State Chapter Kurt Lorch, Indiana State Chapter Mark Solari, South

315 views • 30 slides
Objectives Review Servlets Deployment Configuration Sessions, Cookies Handling

Objectives Review Servlets Deployment Configuration Sessions, Cookies Handling

Objectives Review Servlets Deployment Configuration Sessions, Cookies Handling multiple requests Apr 29, 2019 Sprenkle - CS335 1 Servlets Review What application do we need to execute servlets? What class do all web

330 views • 29 slides

More recommend