Secured AMF services

If you've ever used AMF to store for example game scores, maybe you were thinking if there is a way how to hack it. Well, you can be sure there is. And it's really simple.

Burp Suite is a tool that works as a proxy for your web browser running at port 8080 by default. The only thing you have to do is to set your browser to use Burp Suite as a proxy server to the Internet. Then you can scan all requests and responses and modify them easily (and much more ...).

Since version 1.3 has native support for AMF so you can see whole structure of all requests sent from Flash (and of course you can modify them).

Unfortunately, I don't think there is the 100% way to make calls from Flash secure but at least you can make it difficult to hack.

In this code snippet I made a simple function that takes all arguments passed to an AMF service, connects them using comma, joins secret salt to the end and generates SHA1 hash. Then it suggests that the last passed argument to the service is a hash generated by Flash and compares them. If they are the identical, arguments sent from Flash were not changed. If they're not someone probably changed at least one of them.

 1 
 2 
 3 
a = new Array("first important message", "second", "third");
var str:String = a.join(',') + "my_secret_salt"; 
// now generate SHA1 hash for "first important message,second,thirdmy_secret_salt"

And in PHP

 1 
 2 
 3 
 4 
 5 
 6 
 7 
 8 
 9 
 10 
 11 
 12 
 13 
 14 
 15 
 16 
 17 
 18 
 19 
 20 
 21 
 22 
class AmfSHA1 {

    /**
     * Verify hashes
     *
     * @param array $arguments  array with all arguments passed to an AMF service
     * @param string $salt      predefines salt. Must be the same as used by flash
     * @return boolean          returns true if hashes are equal, otherwise false
     */
    public static function verify($arguments, $salt) {
        foreach ($arguments as &$arg) {
            if (is_bool($arg)) { // check for boolean variables and replace whem with string
                $arg = $arg ? 'true' : 'false';
            }
        }
        // hash is the last item in the array of arguments passed to the amf service
        $hash = trim(array_pop($arguments), '"');

        // we'll generate SHA1 hash for "first important message,second,thirdmy_secret_salt" and compare it with the has sent from Flash
        return sha1(implode(',', $arguments) . $salt) == $hash;
    }
}

 1 
 2 
 3 
 4 
 5 
 6 
 7 
 8 
 9 
 10 
 11 
class myService {

    public function saveImportantData($first, $second, $third, $hash) {
        $verified = AmfSHA1::verify(func_get_args(), 'my_secret_salt');
        if ($verified) {
            // everything's fine
        } else {
            // something's wrong - hashes don't match
        }
    }
}

There's just one important caveat you should be aware of. It doesn't matter if the hacker can decompile your SWF and see how you generate hashes, the only thing you have to protect is the salt. Well, I'm not a Flash developer so I can't give you any piece of advice but I guess this could help you out - Amayeta.

blog comments powered by Disqus