This talk will provide a basic overview of Flash remoting and cover some of the security issues found in real-world flash applications and demonstrate a new tool for testing flash applications.
Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Deblaze came about as a necessity during a few security assessments of flash based websites that made heavy use of flash remoting. I needed something to give me the ability to dig a little deeper into the technology and identify security holes. This tool will allow you to perform method enumeration and interrogation against flash remoting end points.
The latest version can be found at deblaze-tool.appspot.com
<strong>Jon Rose</strong> has close to a decade of experience performing network and application security assessments, including network penetration testing, blackbox application testing, and code reviews across a wide range of programming languages and technologies. His security expertise also includes creating enterprise security programs, providing guidance in an enterprise security architect role, and building security into organizations existing software development lifecycle. Jon currently works in Trustwave's SpiderLabs Application Security team.