Tuesday, July 17, 2007

Decompiling and testing Flash-based web sites

I've recently been evaluating several tools to help our team perform security assessments on Flash-based web applications. We occasionally have to test client sites that are almost entirely written in Flash, and they can be even more annoying to assess than they are to use. I have never really worked with the language from a developer's perspective, so it's been a good learning experience.

I was first interested in decompilers, thinking that certain poorly-coded applications might have hard-coded host information, credentials, or other potentially sensitive information. I found that Flare is an effective (and free) tool for extracting ActionScript from SWF files. However, after using it on a number of projects I've come to realize that there's rarely much of interest in the ActionScript. (There are a few horribly coded Flash login portals that store passwords in the source code, but I've never seen them used in a "professional" client application. Google for "login.swf", and decompile a few of the results to see what I mean.)

Ordinary proxy tools like Paros or Burp will catch any inbound or outbound HTTP requests issued by a Flash application. However, some applications talk to the server using a SOAP-like messaging protocol known as Flash Remoting, in which messages are binary encoded in "Action Message Format" (AMF). Neither Paros nor Burp will decode AMF, making it difficult to analyze the transactions. However, there are a few applications that can: ServiceCapture and Charles Debugging Proxy are two of the more popular and well-regarded tools. Below are a few screenshots of a binary AMF response as seen in Paros, versus the same response decoded in ServiceCapture:

Binary AMF response in Paros

Decoded AMF response in ServiceCapture

As you can see, deserializing Flash Remoting traffic can provide a lot of information about an application, and even identify targets for parameter manipulation or SQL injection attacks.

Unfortunately, I haven't been able to find any free tools with this capability. ServiceCapture and Charles offer downloadable trials, but require a reasonable license fee for continued use. The Burp Proxy team is soliciting requested features for their next update, so I will be sure to submit this as a recommendation.

No comments: