iNalyzer, Belch Recap 2011 - 2012

Hi, long time since last post so here is a small recap of activities and tools:

My Owasp IL 2012 talk "Advanced iOS Hacking" presentation can be found at https://Appsec-labs.com/iNalyzer (I'm currently in the final stages of publishing iNalyzer for iOS application so stay tuned)


Belch has been adopted by my new employer: AppSec-labs you can download the latest version and documentation at https://Appsec-labs.com/belch

My Owasp IL 2011 presentation can be found at https://Appsec-labs.com/blog/tampering101

And there are some more iOS disclosures that would be published soon

Shana Tova !

Abusing serialization protocol using JVMITM (JVM in the middle)

A friend of mine asked me to clarify about Belch usage in serialization manipulating, so here goes:

When a serialization channel is created between client and server, all traffic switches from basic http to serialization over http. This makes tracing, manipulating and testing more difficult due to the binary content of the serialization protocol.

This in mind, what you need is a decrytor-encryptor utility to stick in the middle of communication channel, so you can get a better understanding and control over the communication between the client and server. You need it to be very efficient and very fast: enters JVMITM - JVM in the middle.

If you could divert the communication to an Java VM, you could utilize java to translate the serialization protocol into a somewhat better understandable format -say XML. Once in XML format, you abuse it at your will and then redirect it to JVM back. JVM convert it back to serialization protocol and send it down the communication channel.

JVMITM approach support any serialization protocol that Java understand, such as Flash, Java-serialization and more. The only thing you have to do in order to decrypt the protocol, is to include the proper library in your JVMITM classpath

Belch can help you utilize JVMITM by enabling you to redirect the communication to your chosen application (hex-editor ,batch wrapper of a JVM or other self written tool)

Stay tuned as I will publish some example of using Belch to JVMITM against Flash AMF serialization protocol

Pentesting Adobe Flex AMF with Belch

Hi all, long time no post,
I had to do some developing, got a flex/BlazeDS application to attack.

The AMF architecture is very straight forward, the flash client communicate to BlazeDS server using adobe AMF binary protocol.
Yep, those words Binary-Protocol means some playing around when trying to manipulate in the middle.

So, got myself busy and wrote a new external library for good old Belch. It handles all the decoding-manipulating-encoding on the fly and makes my life easier.

Stay put for sources, I will publish as soon as they are stable