This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Israel 2008 Conference Ronen Bachar

Jump to: navigation, search

Automated Crawling & Security Analysis of Flash/Flex based Web Applications

The move to web 2.0 and RIA (Rich Internet Applications) has presented new obstacles for automated web application scanners and crawlers. Specifically, the ability to automatically crawl Flash/Flex based applications and to analyze AMF traffic (proprietary Adobe binary message format) for security vulnerabilities. This presentation will discuss the following subjects -

  1. Introduction to Flash/Flex applications
  2. High level description of the AMF protocol and its usage
  3. Automated Flash Testing Challenges (Crawling & Testing)
  4. Overview of security risks in Flash/Flex applications

Note: while this presentation is not product specific, it comes to show the current problems of automated security solutions, and will show the implementation that was done in IBM/Watchfire AppScan as a possible solution. We do not plan to pitch the product explicitly.


I have been working at Watchfire since 2004 . I'm a team leader for AppScan for the past 2.5 years and manage Flash Crawling project, C++ developer ( 1.5 years). SW engineer and team leader at Network Privacy ( 4 years). SW and HW developer at Elisra. I graduated Computer Science and Math from the Open University.