If you ever had the opportunity to pentest Flash applications you might have had problems analyzing the traffic between the client
and the backend. An increasing number of (web) applications is using Adobe Flex at the
presentation layer which uses the ActionScript Message Format (AMF) to send
data back and forth. One might think that Burp has already built-in decoding functionalities
for AMF. Although this is the case I found Burp’s decoding to be more confusing than useful. So I’ve searched for other
ways to decode AMF encoded data.
When looking at the plain-text traffic, you won’t see much:
1
2
3
4
5
6
7
8
|
...
Content-Type: application/x-amf
Content-Length: 1373
...
^@^C^@^@^@^A^@^Dnull^@^C/46^@^@^K<C6>
^@^@^@^A^Q
<81>^SOflex.messaging.messages.RemotingMessage^Msource^Soperation body^QclientId^SmessageId^Oheaders^UtimeToLive^Stimestamp^Wdestination^A^F^]generateReport ^K^A ^M^A
...
|
Well you can save the response body to some file and then analyze the contents. Using pyamf
I was able to decode the AMF data in way I could easily understand its inner structure. First install pyamf:
$ pip install pyamf
Then read the request data:
1
2
3
4
5
|
In [1]: import pyamf
In [2]: with open('/home/victor/tmp/neu.req', 'r') as f:
content = f.read()
...:
|
And finally decode that data:
1
2
3
4
5
6
7
8
9
10
11
12
|
In [3]: from pyamf import remoting
In [4]: decoded = remoting.decode(content)
In [5]: type(decoded)
Out[5]: pyamf.remoting.Envelope
In [11]: decoded
Out[11]:
<Envelope amfVersion=3>
(u'/46', <Request target=u'null'>[<RemotingMessage body=[[{u'paramValue': u'1A2B4C7E-93B0-4502-878A-9BE40D2A25C4', u'identifier': u'ExternalListGUID', u'type': u'SINGLE_SELECT_DEFAULT', u'name': u'Options'}, {u'paramValue': 5, u'identifier': u'projectversionid', u'type': u'SINGLE_PROJECT', u'name': u'Project Version'}, {u'paramValue': True, u'identifier': u'SecurityIssueDetails', u'type': u'BOOLEAN', u'name': u'Detailed Report'}
...
|
I hope that helped!