[Owasp-JBroFuzz] fuzzing AMF

Juraj Bednar asterisk4juraj at gmail.com
Sun Sep 26 06:57:58 EDT 2010


Hello,

    I've seen a lot of applications using AMF (binary format for
encoding data structures).
This is used mainly by Adobe Flash/Flex clients, although it is a
generic format for encoding
data structures. There are basic tools like deblaze, which does pretty
good job in method
enumeration: http://deblaze-tool.appspot.com/.

     Also BurpSuite supports decoding and changing AMF, but no
fuzzing. I am wondering,
if anyone has been thinking about implementing AMF support into
JBroFuzz. Being a binary
format, it requires special support (it is not possible to just
replace parts in the middle of
the request). But there are pretty good libraries, which are
open-source and it would be
possible to do this very easily.

     Currently, I am doing this by fuzzing manually for a particular
application. The reporting
capabilities of JBroFuzz would be a great upgrade though. Is it
possible to use a third party
fuzzer and just somehow see the results in JBroFuzz while there's no
AMF support directly
in JBroFuzz?

        Thank you,

             Juraj.


More information about the owasp-jbrofuzz mailing list