Since its introduction in 2002, Action Message Format (AMF) has attracted the interest of developers and bug-hunters. Techniques and extensions for traditional web security tools have been developed to support this binary protocol. In spite of that, bug hunting on AMF-based applications is still a manual and time-consuming activity. Moreover, several new features of the latest specification, such as externalizable objects and variable length encoding schemes, limit the existing tools. During this talk, I will introduce a new testing approach and toolchain, reshaping the concept of AMF fuzzing. Our automated gray-box testing technique allows security researchers to build custom AMF messages, dynamically generating objects from method signatures. The approach has been implemented in a Burp Suite plugin named Blazer. This tool consents to improve the coverage and the effectiveness of fuzzing efforts targeting complex applications. Real-world vulnerabilities discovered using Blazer will be presented as well as a generic methodology to make AMF testing easier and more robust. Adobe BlazeDS, a well-known Java remoting technology, will be used as our server-side reference implementation.
Luca Carettoni is a senior security consultant for Matasano Security with over 7 years experience as a computer security researcher. His professional expertise includes black box security testing, web application security, vulnerability research and source code analysis. Prior to Matasano, Luca worked at The Royal Bank of Scotland as a penetration testing specialist where he performed security audits against several online banking systems worldwide. In the past years, Luca has been an active participant in the security community and a member of the Open Web Application Security Project (OWASP). Luca holds a Master's Degree in Computer Engineering from the Politecnico di Milano university.