Get off your AMF and don’t REST on JSON!

This coming Thursday, August 8th 2013 at 12 EST/ 9 PST, Dan Kuykendall will be presenting: “Get Off Your AMF and Don’t REST on JSON,” a talk which he also delivered at OWASP AppSec Conference.

Dan’s talk is going to fit very nicely into other recent Hacker Hotshot talks since he will be outlining code and web application testing. (Quick side note: if you have a moment and are interested in Web Application Security you might find it also useful to watch Sherif Kousa present: Secure Code Reviews Magic or Art? in which he outlines how security code reviews are one of the best ways to uncover security flaws in source code).

About Dan Kuykendall
Dan Kuykendall is co-CEO and CTO of NT OBJECTives. NT OBJECTives (NTO) is an organization involved with solving application security challenges. The NTO team represents a group of highly experienced information security professionals that collectively bring an abundance of knowledge. Their flagship product, NTOSpider, is designed to be a fully automated Web application scanner that automates authentication, session management as well as other important penetration testing processes. Dan is particularly well experienced with this type of product and solution having previously worked at Foundstone where he was responsible for the portal interface to the company’s flagship product, FoundScan.

Dan is very active in the InfoSec world blogging on as well as co-hosting an Information Security Podcast. He has presented at many Information Security conferences including AppSec, HouSecCon, ToorCon and THOTCON. We are absolutely delighted to have Dan on the show and we really encourage you to sign-up and learn more!

Learning Objectives of Dan’s Presentation

  • Viewers will learn how, although HTTP is being used to transport new request formats such as those from mobile apps (e.g. REST, JSON, AMF and GWTk), few security teams have updated their testing procedures.
  • Dan will explain how all of these new formats are potential new playgrounds for attackers and penetration testers.
  • Dan will demonstrate the process of breaking down these new formats and attacking them!
  • Attendees will also learn how to leverage their existing penetration testing methodologies.

AMF Brief Outline
ASP.NET Mobile Framework (AMF) is a framework that can be used for making web applications for tablet and smartphone web browsers. The framework allows the developer to generate HTML through WebControls and also facilitates databinding through its’ HTML5 Markup-driven configuration.

REST Brief Outline
Representational state transfer (REST) is a style of software architecture which has become a popular amongst API designers.

JSON Brief Outline
Compared to AMF and REST, JSON is likely the more widely used language. JSON, short for ‘JavaScript Object Notation’ is a text-based open standard designed for human-readable data interchange. Although very close to JavaScript it is defined as being language-independent. Typically JSON is used for serializing and transmitting sequential data over networks and is used to transfer data between a server and web application, therefore presenting an alternative to XML.

Dan’s session looks at how to understand and attack mobile (web) applications that use new technologies such as JSON, REST and AMF. If you are a programmer, or are learning to be one or just curious, then this is certainly an event not to miss. The growth of mobile and the decline of PC’s and desktops should also prompt you to attend this event or at watch it at a later date (the show will be recorded on the same URL as the registration page, which is here).

Are you a programmer or developer with AMF, JSON or REST experience? We’d love you hear your thoughts in the comments below – especially with regards to your security posture and how you firm up and test your code.

Henry Dalziel

Henry is a serial education entrepreneur, founder of Concise Ac Ltd, online cybersecurity blogger and e-book author. He writes for the blog and has developed numerous cybersecurity continuing education courses and books. Concise Ac Ltd develops and distributes continuing education content [books and courses] for cybersecurity professionals seeking skill enhancement and career advancement. The company was recently accepted onto the UK Trade & Investment's (UKTI) Global Entrepreneur Programme (GEP). For more information please get in contact for possible JV's:

Leave a Reply

Your email address will not be published.