NetSPI Blog

Tool release: AMF Deserialize Burp Plugin

Khai Tran
January 9th, 2013

Action Message Format (AMF) is one of the communication protocols used to exchange messages between Flash client and server; the others are RTMP and XML. BurpAMFDSer is another Burp plugin that will deserialize/serialize AMF request and response to and from XML with the use of Xtream library (http://xstream.codehaus.org/). BurpAMFDSer also utilizes part of Kenneth Hill’s Jmeter source code for custom AMF deserialization (https://github.com/steeltomato/jmeter-amf).

How to run:

java -classpath burp.jar;burpAMFDser.jar;xstream-1.4.2.jar burp.StartBurp

Sample serialized Request:

Sample deserialized Request:

Sample deserialized Response:

Source code and executables are available at:
https://github.com/NetSPI/burp-plugins/tree/master/BurpAMFDSer/Old_APIs

The sample application in the screenshot is TraderDesktop, provided as part of ADEP Data Services for Java EE 4.6 and could be downloaded at: https://www.adobe.com/cfusion/tdrc/index.cfm?product=livecycle_dataservices

I’ve also developed a newer version of this plugin to be compatible with the new Burp Extender APIs (http://blog.portswigger.net/2012/12/draft-new-extensibility-api.html). Now you can modify AMF requests and responses in a separate tab.

The new plugin can be loaded dynamically via Burp Extender:

Sample Request:

I also added 2 new menus to work with Intruder and Scanner (pro version only)

Send deserialized request to Intruder

Scan AMF (Pro version only)

Unfortunately, the new APIs are only available for Burp Suite Pro version 1.5.01 and later. Hopefully the author will update the free version soon.

If you are interested, source code and executable are available at: https://github.com/NetSPI/burp-plugins/tree/master/BurpAMFDSer/New_APIs

8
Leave a Reply

avatar
5 Comment threads
3 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
6 Comment authors
AdisanjayKhai TranPaul HarringtonAjay Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest
Notify of
Aaron
Guest
Aaron

I am using the latest Burp, 1.5.04 and when I try to load your jar file through the extender, or try to launch Burp with your JAR files I get the following error: C:\Users\Aeon\Downloads>java -classpath burpsuite_pro_v1.5.04.jar;burpAMFDSer.jar;xstream-1.4.2.jar burp.StartBurp java.lang.ClassNotFoundException: burp.BurpExtender at java.net.URLClassLoader$1.run(Unknown Source) at java.net.URLClassLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Unknown Source) at burp.s0c.a(Unknown Source) at burp.s0c.(Unknown Source) at burp.jad.a(Unknown Source) at burp.ro.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Any ideas as to why it may not be working? Thanks!

Ajay
Guest
Ajay

I am interested in trying this ,but when i tried it after extending plugin AMFDSer and intercepting for localhost:8080 and 2080.
Unfortunately i coudn’t get the serialisation information as you showed.
This is what i got….
GET / HTTP/1.1
Host: localhost:2080
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,en-GB;q=0.6

Can u help me in finding where am i missing the main point.

Paul Harrington
Guest
Paul Harrington

It would appear that the plugin is itself vulnerable to XXE.

I spent a while trying to confirm an XXE vulnerability reported by Burp scanner and after a fair bit of head scratching and debugging managed to work out that the files being returned by XXE were in fact coming from my local filesystem.

I suspect that this is an issue with the bundled xstream processor.

sanjay
Guest
sanjay

Currently am working on AMF can anyone explains or provide regarding how does the serialisation and Deserialisation works and if possible any examples of sample code :). Thanks in advance

Adi
Guest
Adi

Hi Khai,

I’m trying the new APIs version on Burp Pro v.1.6+. It works fine for requests but i’m NOT able to read back RESPONSES. Any tips for me? I can provide more details if needed.

Thanks for your help.