Post Wed Oct 21, 2009 4:31 pm

Audit Flex Web Application

Hi,
I need help, I´m still working in a black box pentest and I found a Flex WebApp(jboss, coyote 1.1). Flex webapp consist in Web Server(https/ssl) and Flash Media Server(RTMPS that use TLS in TCP port 2099 for flash serialization/deserialization,in other server and with other Cert). I´ll tried to intercept/see web request with proxy´s (webscarab, charles, paros...), tamper plugins(service capture and httpsFox don´t intercept flex methods and services) and sniffers (Wireshark with appropiate ssl cert) and I failed to intercept or manipulate text parameters (captured data is illegible because it´s encryped and proxys don´t intercept web response/request and flex communication)

Thanks.