On Web Security

securing AMFPHP

I regulary run into Flash applications when I perform a web application penetration test. One of the most widely used server frameworks for communicating with a Flash object is AMFPHP.

Unfortunately the default installation of AMFPHP is insecure. A system administrator or developer actively has to secure the installation, which is often forgotten.

There are some tips lying around the Internet how to secure an AMFPHP installation. The summary:

In the root of your AMFPHP deployment,

delete the DiscoveryService.php file
Delete the browser folder and its contents
Edit gateway.php and set the PRODUCTION_SERVER property to true

Of course it's at least as important to write secure code, harden your server and implement proper patch and maintenance procedures.

more ...

Vulnerability name: Unsafe HTTP methods

Aliases

Web server HTTP Trace/Track method support
Cross-site tracing vulnerability
Dangerous HTTP methods

Scope

Although this is a server configuration issue, the client is at risk here

Remediation

Disable TRACE and/or TRACK and/or DEBUG methods

Verification

Using curl , one can employ one of the methods by hand:

curl -sIX TRACE $TARGET | awk 'NR==1 {print $2}'

Vulnerable when: the result is 200

One should expect (not vulnerable) 405 (Method Not Allowed) or 501 (Not Implemented) results.

This executes the TRACE method against $TARGET , and prints out the HTTP status code using awk . The -I parameter fetches the head only, -s stands for silent mode, and -X specifies the method.

The easiest way to test whether a server is vulnerable is by using the script analyze_hosts.py [1].

This script uses curl as well as nmap to perform multiple tests.

analyze_hosts.py --trace http://www.target.com

Note

When an OPTIONS method is issued, the webserver should return the supported methods. Some web servers have a habit of replying with methods that are in fact not supported - which does not combine nicely with inferior security scanners (and pentesters, I might add) that relying …