(Paper) Pentesting Adobe Flex Applications (introducing new tool Blazentoo)

Marcin Wielgoszewski from Gotham Digital Science gave a keynote at the OWASP NY session (http://www.owasp.org/index.php/NYNJMetro) where he exhibited intrusion techniques on application based on Adobe AIR. Indeed, with the integration of RIA in the client side, we tend to forget that the beauty of things can hide a real threat.

This document details the communication methods used by Adobe Air and some points of failure. The author also shows how with simple security tools, which we already mentioned in security-database tools tracker, one’s can compromise the data stream.

Marcin also introduces a new tool (Blazentoo) developed by himself for making auditing and pentesting Adobe Air applications much easier.

Introducing Blazentoo

Blazentoo is an Adobe AIR application that can be used to exploit insecure Adobe BlazeDS and LiveCycle Data Services ES servers. Blazentoo provides the ability to seamlessly browse web content, abusing insecurely configured Proxy Services.