OWASP Israel 2008 Conference Ronen Bachar

Automated Crawling & Security Analysis of Flash/Flex based Web Applications
The move to web 2.0 and RIA (Rich Internet Applications) has presented new obstacles for automated web application scanners and crawlers. Specifically, the ability to automatically crawl Flash/Flex based applications and to analyze AMF traffic (proprietary Adobe binary message format) for security vulnerabilities. This presentation will discuss the following subjects -

[1] High level description of Flash/Flex applications [2] High level description of the AMF protocol and its usage [3] Obstacles faced when attempting to automate Flash/Flex application crawling and testing [4] Overview of security risks in Flash/Flex applications

Note: while this presentation is not product specific, it comes to show the current problems of automated security solutions, and will show the implementation that was done in IBM/Watchfire AppScan as a possible solution. We do not plan to pitch the product explicitly.

Bio
I have been working at Watchfire since 2004. I'm a team leader for AppScan for the past 2.5 years and manage Flash Crawling project, C++ developer ( 1.5 years). SW engineer and team leader at Network Privacy ( 4 years). SW and HW developer at Elisra. I graduated  Computer Science and Math from the Open University.