Auditing Flex AMF3 and BlazeDS based RIAs (Blackhat 2008)

In this talk titled "FLEX, AMF 3 and BlazeDS: An Assessment", given at Blackhat USA 2008, Jacob Karlson and Kevin Stadmeyer give us a detailed view of  Adobe Flex, AMF3 and BlazeDS technologies. They take us through the basics of these technologies and discuss the various security mechanisms used in them such as crossdomain.xml, Flash player sandbox, Local Shared Objects, Actionscript cookies etc. Though the talk does not demonstrate any new security vulnerabilities, it does outline the common mistakes flex programmers could make which might open up potential security holes. This also serves as a primer for various security assessment tools for flash applications such as Flash decompilers, debuggers, sniffers and proxies.



 

Vivek Ramachandran is a security evangelist and has been working in computer security related fields for the past 7 years. In 2007, Vivek spoke at world renowned conferences Defcon (WEP Cloaking Exposed) and Toorcon (The Caffe Latte Attack). The discovery of the Caffe Latte Attack was covered by CBS5 news, BBC online, Network World etc news agencies.In 2006, Vivek was announced as one of winners of the Microsoft Security Shootout contest held in India among 65,000 participants. He has also been a recipient of a Team Achievement at Cisco Systems for his work on 802.1x and Port Security modules on the Catalyst 6500 switches. Currently he spends all of his time maintaining Security- Freak.Net , SecurityTube.Net and is the co-founder of Axonize. Vivek, is a Bachelor in Electronics and Communications Engineering from the prestigious Indian Institute of Technology, Guwahati.You can contact him at vivek[at]securitytube.net