I have heard it said that the great is the enemy of the good so I decided to stop messing around and finally release the first public version (0.03) of the sprajax tool. It can be downloaded from www.denimgroup.com/sprajax. This is still a bit rough and limited, but it should be able to successfully footprint and fuzz AJAX-enabled web applications written using the Microsoft Atlas framework.
For folks who haven’t been following along, sprajax is an Open Source (LGPL) tool for assessing the security of web-based applications using AJAX technologies. It spiders through applications, determines the call endpoints used to provide server-side AJAX functionality, and then fuzzes those endpoints attempting to find errors. It can log either all calls or just those resulting in errors and this data can help to suggest where there may be coding bugs with security implications.
Requirements:
-.NET 2.0
-SQL Server 2005
-Visual Studio 2005 (for development)
Check out the README file for instructions on installing and running the application. It comes with a demo Atlas application that is kind of broken, but good enough for now. I will be releasing a new version in a couple of days that doesn’t require SQL Server 2005 because that is kind of a big burden just to get the tool up and running. Also we will be adding support for Direct Web Remoting (DWR) before too much longer. If you have the time please fire up the tool, give it a try and drop me an email with any questions or feedback. And be gentle – this is a first release.
–Dan
dan _at_ denimgroup.com