A remote method enumeration tool for flex servers

Through the use of the Flex programming model and the ActionScript language, Flash Remoting was born. Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. This tool will allow you to perform method enumeration and interrogation against flash remoting end points.


Updated version that uses twisted to proxy AMF remoting calls and aid in debugging network traffic. Major code redesign and bugfixes. Incorporates automatic detection of remoting methods, basic parameter fuzzing, and HTML reporting.
Deblaze provides the following functionality:
  • Brute Force Service and Method Names
  • Method Interrogation
  • Flex Technology Fingerprinting
  • Parameter detection
  • Basic parameter fuzzing
  • Proxy AMF requests/responses
  • HTML reporting


You can download the lastest version of deblaze here.

Feel free to contact me if you have any questions, comments, or patches - Jon Rose

Deblaze Presentations


Thanks to all the members of Trustwave's Spiderlabs for testing and support, especially stads9000. Trustwave provides services in penetration testing, forensics, managed security services, and vulnerability scanning. Contact me for more info.

I'd also like to thank Nick Joyce, the python ninja. Him and the rest of the team do a great job building and supporting the pyamf library.

Marcin also provide code patches and help educate me on "pythonic" styles - thanks!