Skip to content

FAQs

Jump to bottom Edit New page
Luca Carettoni edited this page Jul 19, 2016 · 2 revisions

Q: What are the system requirements for running Blazer?

A: A computer with the standard Java Runtime Environment (version 1.6 or later) and Burp Suite (Free or Professional) installed.

Q: Using Burp with Blazer, I get the following exception

Exception in thread "Thread-54" java.lang.NoSuchMethodError: flex.messaging.io.amf.client.AMFConnection.setProxy(Ljava/net/Proxy;)V

A: To fix this issue, change the order of the JARs in your classpath. See How To Start for more details.

The reason for this exception is the following: Burp Free (1.4.01) and old versions of Burp Pro include an outdated version of the Adobe Flex libraries. If you include the Burp's JAR first, it is going to override the newest Adobe Flex classes which are already embedded within Blazer. In future, I expect all versions of Burp to include the newest Flex libraries. As for now, inverting the JARs should fix the problem.

Q: Blazer is a "gray-box" testing tool. What does it mean?

A: The source code or the portable code (bytecode) for the application under scrutiny should be available. During vulnerability research analysis, this is a realistic assumption as the tester has usually full control over the testing environment.

Q: What is the "# Permutations" configuration option?

A: The "# Permutations" represents the number of AMF messages for each method signature that Blazer is going to generate. This parameter is crucial for the entire analysis as it impacts directly the likelihood of generating semantically valid objects for the application under scrutiny. Incrementing the number of permutations increases the number of Java objects generated for a specific AMF method signature and populated with different data. Obviously, this parameter also increases the total number of requests and the overall time for the analysis.

Q: Is Blazer a Flex/Flash/AMF protocol fuzzer?

A: No! Blazer is a tool for testing AMF-based applications. It has been designed and implemented to test applications developed with Flex and using BlazeDS (or equivalents).

Q: How to improve Blazer's configuration?

A: Optimize the number of permutations, depending on method’s arguments complexity. Make sure that all data pools for primitive types and String are relevant for the application under analysis. Balance “good” strings and “bad” attack vectors.

Q: Does Blazer really works?

A: Surprisingly yes, it does. Part of the Blazer's codebase has been used on several real-life projects working with complex AMF-based applications. For instance, CVE-2012-3248 and CVE-2012-3249 have been uncovered using this tool.

Q: How to quickly test Blazer?

A: One of the easiest way to test Blazer is using Adobe BlazeDS turnkey as application target. BlazeDS turnkey server is a ready-to-use version of Tomcat in which the BlazeDS framework has already been deployed along with sample applications.

  1. Make sure that you have a recent Java Runtime Environment installed, and that the JAVA_HOME environment variable points to that installation
  2. Download Adobe turnkey from the official Adobe webpage
  3. Unzip the file (e.g. blazeds-turnkey-4.0.1.21287.zip)
  4. Start Tomcat with ./blazeds-turnkey-4.0.1.21287/tomcat/bin/startup.sh
  5. A sample database is also required for some sample applications. Go to ./blazeds-turnkey-4.0.1.21287/sampledb/
  6. Start the db with ./startdb.sh
  7. Point your browser to http://127.0.0.1:8400/

Note: On Windows platform, you have to use the correspondent .bat scripts

Q: Any suggestion on how to improve fuzzing?

A: Have a look at this blog post: Effective AMF RemotingMessage Fuzzing with Blazer

Add a custom footer
Add a custom sidebar
Clone this wiki locally