Burp Suite User Forum

Create new post

AMF Deserialization

Philippe | Last updated: Apr 19, 2016 06:43AM UTC

When an AMF response body contains a custom object, BURP can't seem to properly deserialize the body and return a "data - null" instead of the proper object. For the same request/response, Charles proxy seem to be able to deserialize the response just fine. Also in Repeater, in the AMF tab, it is not possible to change the type of a parameter (for instance change from Integer to String). This is possible in Charles proxy. Lastly, in repeater, when the body contains an array, would it be possible to add other elements to the array ? At the moment, we can only modify the value of existing element of the array. I will send a screenshot and a request example to support@portswigger.net.

PortSwigger Agent | Last updated: Apr 20, 2016 07:55AM UTC

Thanks for this report. We're aware of the current limitations in the AMF support. There is an extension called Blazer in the BApp Store which provides superior AMF support, and might meet your needs. Given that flash/AMF are becoming less popular, it's unlikely that we will prioritise this area for further development, sorry.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.