Difference between revisions of "OWASP Israel 2008 Conference Ronen Bachar"

From OWASP
Jump to: navigation, search
(Initial)
 
 
(One intermediate revision by one user not shown)
Line 3: Line 3:
 
The move to web 2.0 and RIA (Rich Internet Applications) has presented new obstacles for automated web application scanners and crawlers. Specifically, the ability to automatically crawl Flash/Flex based applications and to analyze AMF traffic (proprietary Adobe binary message format) for security vulnerabilities. This presentation will discuss the following subjects -  
 
The move to web 2.0 and RIA (Rich Internet Applications) has presented new obstacles for automated web application scanners and crawlers. Specifically, the ability to automatically crawl Flash/Flex based applications and to analyze AMF traffic (proprietary Adobe binary message format) for security vulnerabilities. This presentation will discuss the following subjects -  
  
[1] High level description of Flash/Flex applications  
+
# Introduction to Flash/Flex applications  
[2] High level description of the AMF protocol and its usage  
+
# High level description of the AMF protocol and its usage  
[3] Obstacles faced when attempting to automate Flash/Flex application crawling and testing
+
# Automated Flash Testing Challenges (Crawling & Testing)
[4] Overview of security risks in Flash/Flex applications  
+
# Overview of security risks in Flash/Flex applications  
  
 
Note: while this presentation is not product specific, it comes to show the current problems of automated security solutions, and will show the implementation that was done in IBM/Watchfire AppScan as a possible solution. We do not plan to pitch the product explicitly.
 
Note: while this presentation is not product specific, it comes to show the current problems of automated security solutions, and will show the implementation that was done in IBM/Watchfire AppScan as a possible solution. We do not plan to pitch the product explicitly.

Latest revision as of 14:02, 6 September 2008

Automated Crawling & Security Analysis of Flash/Flex based Web Applications

The move to web 2.0 and RIA (Rich Internet Applications) has presented new obstacles for automated web application scanners and crawlers. Specifically, the ability to automatically crawl Flash/Flex based applications and to analyze AMF traffic (proprietary Adobe binary message format) for security vulnerabilities. This presentation will discuss the following subjects -

  1. Introduction to Flash/Flex applications
  2. High level description of the AMF protocol and its usage
  3. Automated Flash Testing Challenges (Crawling & Testing)
  4. Overview of security risks in Flash/Flex applications

Note: while this presentation is not product specific, it comes to show the current problems of automated security solutions, and will show the implementation that was done in IBM/Watchfire AppScan as a possible solution. We do not plan to pitch the product explicitly.

Bio

I have been working at Watchfire since 2004 . I'm a team leader for AppScan for the past 2.5 years and manage Flash Crawling project, C++ developer ( 1.5 years). SW engineer and team leader at Network Privacy ( 4 years). SW and HW developer at Elisra. I graduated Computer Science and Math from the Open University.