[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webappsec
Subject:    deblaze - a remote method enumeration tool for flex servers
From:       jrose <jrose () owasp ! org>
Date:       2009-03-19 1:36:21
Message-ID: 3ED40B1C-160D-44B8-844C-0614338A0F3B () owasp ! org
[Download RAW message or body]

I'd like to announce the first version of deblaze, a remote method  
enumeration tool for flex servers.  Deblaze came about as a necessity  
during a few security assessments of flash based websites that made  
heavy use of flash remoting. I needed something to give me the ability  
to dig a little deeper into the technology and identify security holes.

Deblaze allows you to perform method enumeration and interrogation  
against flash remoting end points.  It takes as input the URL,  
service, and method name for the flex service to be tested.

Deblaze provides the following functionality:
* Brute Force Service and Method Names
* Method Interrogation
* Flex Technology Fingerprinting

There are several ways to determine and access exposed methods:

* Decompile SWF and search for remoting calls
* Watch network traffic for service and method names
* Dictionary attack against service and methods

Grab the latest version at http://deblaze-tool.appspot.com/

- Jon Rose


[prev in list] [next in list] [prev in thread] [next in thread]