I've posted an entry over on my employer's blog on Penetrating Intranets through Adobe Flex Applications. I've also released a new tool along with it, called Blazentoo. This tool exploits insecurely configured BlazeDS Proxy Services, potentially allowing you to browse internal web sites. You can download Blazentoo from GDS' tools page.
Also, be sure to check out my other post from a while back, Pentesting Adobe Flex Applications with a Custom AMF Client. This post goes into how to write a client using Python to make remoting calls with a remote Flex server.blog comments powered by Disqus