Deblaze – A remote method enumeration tool for flex servers

Expo Theatre (Hall G) October 20, 2009 - Feedback     

Bookmark and Share

Jon Rose

Flash has traditionally been a graphics heavy technology used to create artistic user interfaces that runs on a client’s browser. The evolution of Flash was pushed by application developers who wanted to access complex business logic and functionality on remote servers. Through the use of the Flex programming model and the ActionScript language, Flash Remoting was born. Now Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. This talk will describe how Flash remoting works, the technologies that implement it, and the potential security problems related to flash remoting. A proof of concept tool, deblaze, will demonstrate how these remote methods can be attacked. Currently, there are no publically available tools that are able to perform method enumeration and interrogation from a zero knowledge perspective.