If you ever had the opportunity to pentest Flash applications you might have had problems analyzing the traffic between the client and the backend. An increasing number of (web) applications is using Adobe Flex at the presentation layer which uses the ActionScript Message Format (AMF) to send data back and forth. One might think that Burp has already built-in decoding functionalities for AMF. Although this is the case I found Burp’s decoding to be more confusing than useful. So I’ve searched for other ways to decode AMF encoded data.

When looking at the plain-text traffic, you won’t see much:

1
2
3
4
5
6
7
8
...
Content-Type: application/x-amf
Content-Length: 1373
...
^@^C^@^@^@^A^@^Dnull^@^C/46^@^@^K<C6>
^@^@^@^A^Q
<81>^SOflex.messaging.messages.RemotingMessage^Msource^Soperation       body^QclientId^SmessageId^Oheaders^UtimeToLive^Stimestamp^Wdestination^A^F^]generateReport      ^K^A    ^M^A
...

Well you can save the response body to some file and then analyze the contents. Using pyamf I was able to decode the AMF data in way I could easily understand its inner structure. First install pyamf:

$ pip install pyamf

Then read the request data:

1
2
3
4
5
In [1]: import pyamf

In [2]: with open('/home/victor/tmp/neu.req', 'r') as f:
    content = f.read()
       ...: 

And finally decode that data:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
In [3]: from pyamf import remoting

In [4]: decoded = remoting.decode(content)

In [5]: type(decoded)
Out[5]: pyamf.remoting.Envelope

In [11]: decoded
Out[11]: 
<Envelope amfVersion=3>
 (u'/46', <Request target=u'null'>[<RemotingMessage  body=[[{u'paramValue': u'1A2B4C7E-93B0-4502-878A-9BE40D2A25C4', u'identifier': u'ExternalListGUID', u'type': u'SINGLE_SELECT_DEFAULT', u'name': u'Options'}, {u'paramValue': 5, u'identifier': u'projectversionid', u'type': u'SINGLE_PROJECT', u'name': u'Project Version'}, {u'paramValue': True, u'identifier': u'SecurityIssueDetails', u'type': u'BOOLEAN', u'name': u'Detailed Report'}
 ...

I hope that helped!