OWASP Sprajax
sth posted in Uncategorized on October 31st, 2006
Just shortly after I had complained about AJAX assessment tools, I found that OWASP has also started a new project called Sprajax which aims to “assess the security of AJAX-enabled applications“. Despite having formed only less than a month ago, they already have a download available. One cool thing that I see is that they actually try to determine which framework the site is using in order to tune the tests accordingly. Now if they’d only port away from the .net framework so I wouldn’t have to use VMware just to test it out (users are never happy, ;).
November 2nd, 2006 at 12:16 pm
I’m the author of sprajax. Sorry about using the .NET framework - that probably makes life harder for OS X and Linux users. I suppose sprajax might run under Mono but I haven’t had a chance to try that out yet.
The reason for using .NET was that there were a couple of libraries already available and our first AJAX framework target was Atlas. We used a pre-existing LGPL C# web spider as well as another source-available dynamic SOAP call library. That cut down on the development tie quite a bit for the initial release.
Work is underway to refactor the framework detection and endpoint enumeration so that it is easier to add support for other AJAX frameworks. Work is also underway on Google Web Toolkit support.
If you are interested in more sprajax info, I gave a presentation about the project at the OWASP AppSec 2006 conference. You can download the slide deck here: It talks a lot about sprajax’s detection of AJAX frameworks and the value of leveraging this knowledge to craft requests that can actually exercise server-side code.
–Dan