Description: Since its introduction in 2002, Action Message Format (AMF) has attracted the interest of developers and bug-hunters. Techniques and extensions for traditional web security tools have been developed to support this binary protocol. In spite of that, bug hunting on AMF-based applications is still a manual and time-consuming activity. Moreover, several new features of the latest specification, such as externalizable objects and variable length encoding schemes, limit the existing tools. During this talk, I will introduce a new testing approach and toolchain, reshaping the concept of AMF fuzzing. Our automated gray-box testing technique allows security researchers to build custom AMF messages, dynamically generating objects from method signatures. The approach has been implemented in a Burp Suite plugin named Blazer. This tool consents to improve the coverage and the effectiveness of fuzzing efforts targeting complex applications. Real-world vulnerabilities discovered using Blazer will be presented as well as a generic methodology to make AMF testing easier and more robust. Adobe BlazeDS, a well-known Java remoting technology, will be used as our server-side reference implementation.
For More Information please visit : - www.blackhat.com/usa/bh-us-12-speakers.html
Tags: securitytube , hacking , hackers , information security , convention , computer security , blackhat-usa-2012 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.