.

Flex with Jetty

<<

awalli6i

Newbie
Newbie

Posts: 3

Joined: Thu Oct 23, 2008 12:05 am

Post Thu Nov 19, 2009 7:07 pm

Flex with Jetty

Hi all...

I have been asked to have a look at a new webapp that my company is working on. It is built with Flex and runs on the Jetty web server. They want some ideas on how to test the security of the application.

Any advice on what tools to use and where to start!

Thanks heaps

A
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Nov 20, 2009 8:12 am

Re: Flex with Jetty

I would think that the same techniques that work for any web server should work for Jetty web server.  Look for default directories and applications that are almost always vulnerable.  Check to see if directories that should be secure, are.  SSL security is another check.  Google searching for "Jetty vulnerability" reveals a few hits that may be interesting.  I am not sure about using automated tools for this though.

This is Adobe Flex, right?  It just builds Adobe Flash apps as far as I know.  With Flash, you can try passive methods.  Put a proxy (burp, tamper data, etc) on your session and see what comes over the wire.  I suppose that any programming is done with Action Script in these applications.  That's not my area at all.  Yet, I would assume that the same principles apply for sanitizing user input. 
~~~~~~~~~~~~~~
Ketchup
<<

awalli6i

Newbie
Newbie

Posts: 3

Joined: Thu Oct 23, 2008 12:05 am

Post Mon Nov 23, 2009 6:00 pm

Re: Flex with Jetty

Hey,

Thanks for the reply. The version of Jetty that they are using has the "//" problem that allowed me to view the files that make up the login page. From there I could download the swf file for the front page.

Using a little product from HP called swfscan (http://www.communities.hp.com/securitys ... fscan.aspx) to decomplie the swf and view the source code. Found a few little issues with the code and was able to get into the app.

Also ran WebScarab over the site and it found lots of nice little bits of information.

Thanks again for the advice.

A
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Thu Dec 03, 2009 6:19 am

Re: Flex with Jetty

If you haven't already, also take a look at OWASP which should give you some more ideas on how to audit it.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software