ansaurus

Question

Answer 1

+3 A:

Try Charles Proxy it works with both HTTPS and AMF. There's a free version with some minor annoyances. To get it working with ssl you need to go to Proxy->Proxy Settings->SSL and add the domain which traffic you want to monitor.

---- From the comment ----

If you have the original certificate, you can set it up in Proxy->SSL Certificate, and it will be ued by Charles, which should lead to no more errors (as the proxy will have the proper certificate).

Robert Bak 2010-02-08 15:38:01

Charles actually looks like a less powerfull tool than Fiddler and I ended up with the same problem - SWF file was not working (this is normal if the HTTPS certificate is not from a trusted authority) and the proxy was not able to show any network traffic.

Borek 2010-02-08 16:28:37

I'm not sure what exactly is your problem, but what I get is a warning that says "There is a problem with this website's security certificate." and once I click on "Continue to this website (not recommended)." I get all the HTTPS traffic shown. Have you enabled the SSL Proxying?

Robert Bak 2010-02-08 16:55:43

You will get that security warning when you try to access the HTML wrapper but I am rather interested in the traffic between the server and the Flex application itself (via components like HTTPService). In such case, you will get no browser warning and the proxy will not reveal anything useful as it seems that the certificate gets rejected by Flash Player itself. So Charles is not an answer, unfortunately.

Borek 2010-02-08 22:04:45

Ok, two more thoughts - 1) Is it possible to put that swf on the server instead of running it standalone? 2) Do you have the certificate, in that case you can set it up in Proxy->SSL Certificate, and it will be ued by Charles, which should lead to no more errors (as the proxy will have the proper certificate).

Robert Bak 2010-02-09 07:49:24

That's a great suggestion, if you convert it to an answer, I will mark it as "the" answer.

Borek 2010-02-09 11:52:22

Answer 2

+1 A:

Adobe's Flash Builder 4 Beta has a built in Network Monitor.

Learn more here: Flash Builder 4 beta

According to the documentation: (Support for HTTPS protocol)

The Network Monitor supports monitoring HTTPS calls to a server certified by a certificate 
authority (CA) or that has a self-signed certificate.

To monitor calls over the HTTPS protocol, modify the default preference for the Network Monitor
to ignore SSL security checks. Open the Preferences dialog and navigate to Flash Builder > 
Network Monitor.

Bryan Clover 2010-02-08 19:21:26

The hypothetical attacker doesn't have the source code so FB's Network Monitor is not an option for him.

Borek 2010-02-08 22:07:37

@Borek - Since your intention is to assess risk you should keep in mind that SWF files can be de-compiled. Which would give an attacker access to the source code. I have never done so, but I have heard others mention it a few times.

invertedSpear 2010-02-08 22:46:23

We tried a couple of SWF obfuscation tools and are aware of what they can / cannot do. Another possibility for an attacker is to inspect the traffic itself which we have much harder times assessing - I§m still not sure if it can be done or cannot.

Borek 2010-02-09 00:01:06

Answer 3

+1 A:

Interestingly, Fiddler started to show HTTPS requests today. The Flex app behaves like it couldn't access the server side (which is probably because the response from Fiddler is signed with a self-signed certificate which Flash Player correctly recognizes as different than the target site certificate) but still, the HTTP request has been sent already and is visible via Fiddler.

Also, Robert Bak suggested that Charles Proxy can use the target site's certificate which I guess would be by far the best method (I didn't try it as the Fiddler experiment already proved enough for us).

Borek 2010-02-09 11:49:29

ansaurus

tags:

views:

answers:

Inspect HTTPS traffic from SWF files

related questions