Sprajax is Here!

I have heard it said that the great is the enemy of the good so I decided to stop messing around and finally release the first public version (0.03) of the sprajax tool.  It can be downloaded from  www.denimgroup.com/sprajax.  This is still a bit rough and limited, but it should be able to successfully footprint and fuzz AJAX-enabled web applications written using the Microsoft Atlas framework.

For folks who haven’t been following along, sprajax is an Open Source (LGPL) tool for assessing the security of web-based applications using AJAX technologies.  It spiders through applications, determines the call endpoints used to provide server-side AJAX functionality, and then fuzzes those endpoints attempting to find errors.  It can log either all calls or just those resulting in errors and this data can help to suggest where there may be coding bugs with security implications.

Requirements:
-.NET 2.0
-SQL Server 2005
-Visual Studio 2005 (for development)

Check out the README file for instructions on installing and running the application.  It comes with a  demo Atlas application that is kind of broken, but good enough for now.  I will be releasing a new version in a couple of days that doesn’t require SQL Server 2005 because that is kind of a big burden just to get the tool up and running.  Also we will be adding support for Direct Web Remoting (DWR) before too much longer.  If you have the time please fire up the tool, give it a try and drop me an email with any questions or feedback.  And be gentle – this is a first release.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *