[prev in list] [next in list] [prev in thread] [next in thread]
List: webappsec
Subject: deblaze - a remote method enumeration tool for flex servers
From: jrose <jrose () owasp ! org>
Date: 2009-03-19 1:36:21
Message-ID: 3ED40B1C-160D-44B8-844C-0614338A0F3B () owasp ! org
[Download RAW message or body]
I'd like to announce the first version of deblaze, a remote method
enumeration tool for flex servers. Deblaze came about as a necessity
during a few security assessments of flash based websites that made
heavy use of flash remoting. I needed something to give me the ability
to dig a little deeper into the technology and identify security holes.
Deblaze allows you to perform method enumeration and interrogation
against flash remoting end points. It takes as input the URL,
service, and method name for the flex service to be tested.
Deblaze provides the following functionality:
* Brute Force Service and Method Names
* Method Interrogation
* Flex Technology Fingerprinting
There are several ways to determine and access exposed methods:
* Decompile SWF and search for remoting calls
* Watch network traffic for service and method names
* Dictionary attack against service and methods
Grab the latest version at http://deblaze-tool.appspot.com/
- Jon Rose
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic