April 23rd, 2014

OWASP Sprajax

Just shortly after I had complained about AJAX assessment tools, I found that OWASP has also started a new project called Sprajax which aims to “assess the security of AJAX-enabled applications“. Despite having formed only less than a month ago, they already have a download available. One cool thing that I see is that they actually try to determine which framework the site is using in order to tune the tests accordingly. Now if they’d only port away from the .net framework so I wouldn’t have to use VMware just to test it out (users are never happy, ;).

One Response to 'OWASP Sprajax'

  1. 1Dan Cornell
    November 2nd, 2006 at 12:16 pm

    I’m the author of sprajax. Sorry about using the .NET framework – that probably makes life harder for OS X and Linux users. I suppose sprajax might run under Mono but I haven’t had a chance to try that out yet.

    The reason for using .NET was that there were a couple of libraries already available and our first AJAX framework target was Atlas. We used a pre-existing LGPL C# web spider as well as another source-available dynamic SOAP call library. That cut down on the development tie quite a bit for the initial release.

    Work is underway to refactor the framework detection and endpoint enumeration so that it is easier to add support for other AJAX frameworks. Work is also underway on Google Web Toolkit support.

    If you are interested in more sprajax info, I gave a presentation about the project at the OWASP AppSec 2006 conference. You can download the slide deck here: It talks a lot about sprajax’s detection of AJAX frameworks and the value of leveraging this knowledge to craft requests that can actually exercise server-side code.


Leave a Response

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS