Presented at Black Hat USA 2012
Since its introduction in 2002, Action Message Format (AMF) has attracted the interest of developers and bug-hunters. Techniques and extensions for traditional web security tools have been developed to support this binary protocol. In spite of that, bug hunting on AMF-based applications is still a manual and time-consuming activity. Moreover, several new features of the latest specification, such as externalizable objects and variable length encoding schemes, limit the existing tools. During this talk, I will introduce a new testing approach and toolchain, reshaping the concept of AMF fuzzing. Our automated gray-box testing technique allows security researchers to build custom AMF messages, dynamically generating objects from method signatures. The approach has been implemented in a Burp Suite plugin named Blazer. This tool consents to improve the coverage and the effectiveness of fuzzing efforts targeting complex applications. Real-world vulnerabilities discovered using Blazer will be presented as well as a generic methodology to make AMF testing easier and more robust. Adobe BlazeDS, a well-known Java remoting technology, will be used as our server-side reference implementation.