Get off your AMF and don’t REST on JSON!


By | Information Security Blogger | Concise Courses


By Henry Dalziel
Information Security Blogger

This coming Thursday, August 8th 2013 at 12 EST/ 9 PST, Dan Kuykendall will be presenting: “Get Off Your AMF and Don’t REST on JSON,” a talk which he also delivered at OWASP AppSec Conference.

Dan’s talk is going to fit very nicely into other recent Hacker Hotshot talks since he will be outlining code and web application testing. (Quick side note: if you have a moment and are interested in Web Application Security you might find it also useful to watch Sherif Kousa present: Secure Code Reviews Magic or Art? in which he outlines how security code reviews are one of the best ways to uncover security flaws in source code).

About Dan Kuykendall
Dan Kuykendall is co-CEO and CTO of NT OBJECTives. NT OBJECTives (NTO) is an organization involved with solving application security challenges. The NTO team represents a group of highly experienced information security professionals that collectively bring an abundance of knowledge. Their flagship product, NTOSpider, is designed to be a fully automated Web application scanner that automates authentication, session management as well as other important penetration testing processes. Dan is particularly well experienced with this type of product and solution having previously worked at Foundstone where he was responsible for the portal interface to the company’s flagship product, FoundScan.

Dan is very active in the InfoSec world blogging on ManVsWebApp.com as well as co-hosting an Information Security Podcast. He has presented at many Information Security conferences including AppSec, HouSecCon, ToorCon and THOTCON. We are absolutely delighted to have Dan on the show and we really encourage you to sign-up and learn more!

Learning Objectives of Dan’s Presentation

  • Viewers will learn how, although HTTP is being used to transport new request formats such as those from mobile apps (e.g. REST, JSON, AMF and GWTk), few security teams have updated their testing procedures.
  • Dan will explain how all of these new formats are potential new playgrounds for attackers and penetration testers.
  • Dan will demonstrate the process of breaking down these new formats and attacking them!
  • Attendees will also learn how to leverage their existing penetration testing methodologies.

AMF Brief Outline
ASP.NET Mobile Framework (AMF) is a framework that can be used for making web applications for tablet and smartphone web browsers. The framework allows the developer to generate HTML through WebControls and also facilitates databinding through its’ HTML5 Markup-driven configuration.

REST Brief Outline
Representational state transfer (REST) is a style of software architecture which has become a popular amongst API designers.

JSON Brief Outline
Compared to AMF and REST, JSON is likely the more widely used language. JSON, short for ‘JavaScript Object Notation’ is a text-based open standard designed for human-readable data interchange. Although very close to JavaScript it is defined as being language-independent. Typically JSON is used for serializing and transmitting sequential data over networks and is used to transfer data between a server and web application, therefore presenting an alternative to XML.

Summary
Dan’s session looks at how to understand and attack mobile (web) applications that use new technologies such as JSON, REST and AMF. If you are a programmer, or are learning to be one or just curious, then this is certainly an event not to miss. The growth of mobile and the decline of PC’s and desktops should also prompt you to attend this event or at watch it at a later date (the show will be recorded on the same URL as the registration page, which is here).

Are you a programmer or developer with AMF, JSON or REST experience? We’d love you hear your thoughts in the comments below – especially with regards to your security posture and how you firm up and test your code.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>