Friday, August 28, 2009

Flash Remoting Support in Burp Suite Pro

Assessing applications that utilize flash remoting calls often require tools to analyze, manipulate, and replay requests. These tools are required because flash remoting request and response payloads are encoded using the Action Message Format.

Previously, I have used Deblaze and Charles Proxy to support these needs. On August 12, a new version of Burp Suite Pro was released. This version allows AMF messages to be encoded and decoded in the proxy, repeater, and other tabs (except Burp Intruder). Burp Scanner also supports placing attack payloads in flash remoting calls.

Wednesday, August 12, 2009

Amazon EC2 and PCI Compliance

I saw a very informative forum post regarding Amazon's position on EC2 and S3 PCI compliance via a twitter update from @beaker (http://twitter.com/Beaker/statuses/3277444460). The post states merchants can not achieve level 1 PCI compliance within Amazon's cloud infrastructure, because Amazon will not allow customers to perform on-site assessments. Amazon recommends using their Flixible Payments Service to successfully handle credit card data within their cloud. Mosso, now "Rackspace Cloud", took a similar approach as discussed in my March 2009 blog post.