- We design and build extraordinary applications for companies looking to make the next great idea a reality.
- learn more
Sprajax? Security Scanner for AJAX
I came across an open source AJAX security scanner called Sprajax. From the Denim Group's press release:
Sprajax is the first web security scanner
developed specifically to scan AJAX web applications for security
vulnerabilities. Denim Group, an IT consultancy specializing in web
application security, recognized that there were no tools available on
the market able to scan AJAX. AJAX allows web-based applications a
higher degree of user-interactivity, a feature with growing popularity
among developers.Denim Group developed this innovative tool that
will revolutionize security assessments by providing a more thorough
diagnosis of security vulnerabilities within the AJAX code that other
web security scanners are not designed to read. The software then
produces a report of possible weaknesses for developers to remedy.
It's Open Source, so I decided to download it and see what the hype was about. First, the application is written in C#. Second, you will need SQL Server to get it to run as the results are stored in SQL Server and are pulled into reports using stored procedures. Finally, the application doesn't do all that much.
The application takes an application URL as a parameter and has three main functions.
- You can "footprint" the application, i.e. scan it for Javascript files and web services.
- You can "fuzz" the application, i.e. pass garbage into the web services to see if they will barf.
- You can display the results of the previous two functions.
Essentially, the footprint function spiders the application, detects the framework used, finds Javascript files included, and discovers web services used. The fuzz function uses those discovered web services and passes some garbage into them and sees if they returned error conditions. There are just a few problems with this tool, however:
- The tool only detects the Atlas framework. No Dojo, DWR, etc.
- It only detects SOAP web services used by the Atlas framework. No REST, no framework specific calls.
- It doesn't scan the Javascript files for XHR calls, another place to find calls back to the server.
The fuzz function only tests robustness and in a fairly limited way, i.e. will the app go belly up when you pass in garbage data. Typically, security scanning tools test for known exploits of web application frameworks, a much more useful approach.
Finally, consider that many AJAX frameworks make use of dynamic XHTML and Javascript to drive content and navigation. This tool just sucks in the content and looks for URL's. It wouldn't find even one link in an Echo2 application, for instance.
Overall, there isn't much here. It has the feel of something that a journeyman programmer put together over a weekend. I applaud the Denim Group for releasing an Open Source tool, but the hype in their statement is wildly inaccurate. You can likely write something in Perl in a few hours that would do all of this and more.
Topics: Ajax Performance, Ajax Tools, Application Development, Security, Sprajax
Comments: 1 so far
Leave a comment
About Pathfinder
Recent
- Roles Testing For Security
- Blackbird takes the pain out of JavaScript logging
- Making GWT JSON not Quite so Painful
- IDEA - preconference workshop 06 Oct 08
- HTML5, Ajax history management, and The Ajax Experience 2008 Boston
- A Look Back At Past Posts
- Flash Player on iPhone gossip
- Microsoft to Jump on Board EC2
- TAE Boston 2008: The Unsexy Presentations
- The Ajax Experience 2008: Hope to see you in Beantown
Archives
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
Topics
.NET
2d physics
3d
3D GPS
3D physics
37signals
Accessibility
actionscript
activerecord
Add new tag
Adium
ADO.NET Entity Framework
Adobe
Adobe AIR
Advertising
agile
Agile Development
AIR
Ajax
Ajax Applications
Ajax Bookmarking
Ajax Components
Ajax Development
Ajax Examples
Ajax Experience
Ajax Frameworks
Ajax history management
Ajax Intervention
Ajax libraries
AJAX Obfuscation
Ajax Performance
Ajax Products
Ajax Tools
Ajax Widgets
Amazon
amf
Analysis
Android
Announcement
Announcements
antennae
Apollo
Application Architecture
Application Development
AS3
ASP.NET
Asynchronous Processing
awards
Back Button
Benchmarking
Best Practices
BitmapData.draw
BJAX
Blaze Advisor
blog
blogging
Books
Browsers
Business
Business Reasons for Ajax
Business Rules
C#
Canvas
Case Studies
chess
Chicago
Cloud Computing
CMS
COBOL
code art
Code Generation
Color
COMET
Conference
Consistency
Content Management
CRM
CruiseControl
CSS
Custom Flex Component
data visualization
Degrafa
Design
Design Patterns
Desktop
Desktop RIA
Developer's Notebook
Diagnose
Dojo
Domain Knowledge
Drools
EC2
Echo2
Echo3
Editorial
ERP
Ethnographic Research
events
externalinterface
Ext JS
Facebook
ferret
FileReference
Firefox
Firefox Extensions
Flash
flash awards
flash player
flash player 10
Flex
flexunit
Flock
Flow
Frameworks
front end
front end development
Games
Gauge Component
getting things done
Git
Google
Google calendar
Google Gears
Grails
Graphics
Greasemonkey
Groovy
GStreamer
GTD
Gwittir
GWT
Healthcare
Hibernate
Hudson
IDE
Ideation
IE
IE6
IE7
IE8
ILOG JRules
Information Architecture
Innovation
Instructional Design
Interaction Design
Interview
iPhone
iTunes
Java
Javascript
JavaScript frameworks
Javascript Libraries
JBoss Rules
Jess
Jetty
JIT
Jobs
jQuery
JSF
JSON
JSR-94
JsUnit
Lazlo
Legacy Systems
lightweight
LinkedIn
LINQ
logging
Logical Model and Conceptual Model
Low Pro
Mac
Mash Note
Mashups
Meebo
MetaWidget
Methodology
Microformats
Microsoft
Mobile
Mootools
mouse scroll
mouse wheel
Mozilla
Music
MVC
MySql
NetNewsWire
Object-Oriented
Object Relation Mapping (ORM)
Office
OOP
Open Screen
Open Source
Opera
Oracle
ORM
osx
pagination
Pair Programming
papervision3d
Patterns
Peer Creation
Performance
Personas
PHP
physics
physics engines
plugin
preloader
process
Web/Tech
Product Definition
productivity
Progressive Enhancement
Project Website
Prototype
Prototyping
PV3D
QA
qooxdoo
Radiant CMS
rails
Really Simple History
References
Requirements
Requirements
Alice Toth
Requirements Visualization
Restlet
RETE
Review
Rich Interactions
ruby
rubyamf
Ruby on Rails
SaaS
Safari
San Francisco
Scalability
Scenarios
Scriptaculous
SDLC
Search
Security
Selenium
Semantic web
SEO
Server Side
Silverlight
SOA
Social Networking
Software Processes
Songbird
SpiderMonkey
Sprajax
Spreadsheets
Standards
Startups
STI
Story Telling
Struts
Tamarin
Task Flows
Test Driven Development
Testing
The Ajax Experience
Tilt Component
Tools
TraceMonkey
Training
Trends
Tumblr
Tutorial
Tutorials
Unit Tests
Usability
Usability Testing
User Experience
user experience design
user interface
User Interface Standards
User Research
UXD
Venture Capital
Video
Vision
Visualization
VLC
Volta
Web/Tech
Web 2.0
Web Design
Web Development
Webkit
Weblogs
Web Services
Web Standards
Widgets
will_paginate
Windows
Wireframes
WordPress
workflow
work life balance
XML
XML Metadata
XUL
Yahoo Map AS3 API
YUI
Zeigarnik
Zeigarnik Effect
ZK
I wrote the sprajax tool so I thought I would respond. That is a fair assessment of the tool in its current state. This is certainly an “alpha” release but work is progressing. Next up for sprajax:
-Remove requirement for SQL Server 2005 - this is a huge barrier to getting more folks using the tool and being able to look at historical scan data from a database is a lower priority at this point than making it easy to get up and running.
-Add support for the Google Web Toolkit. The interfaces for detecting, footprinting and then fuzzing frameworks need a little bit of work, but the goal is to make these fairly generic and modular so that it is easy to add support for additional AJAX toolkits. I suspect that once I have Atlas and GWT working it will be much easier to add support for DWR and others. And it should also be possible at this point to add more scanning for other non-framework-defined endpoints for additional fuzzing.
I would however disagree that looking for known exploits would be a better approach than the fuzzing sprajax does right now. Tools like Nessus and Nikto already serve this function quite well - they can tell you if your server is misconfigured or using out of date software. The point of sprajax is to try and find flaws in the custom code written using these frameworks so it exercises the application and analyzes request and response patterns. This approach is good for finding “technical” flaws in applications usually based on coding flaws and bad input handling, but isn’t very good at finding “logical” flaws in applications. Unfortunately there really aren’t any good tools for finding “logical” flaws in the design assumptions of applications other than manual inspection and design review. So we automate what we can…
Sprajax has a place in assessing the security of AJAX-enabled web applications. The press release might not have done a good job of pointing out its limitations - they never do
- but sprajax is still under development and its utility should grow over time.
Thanks,
–Dan
Comment by Dan Cornell, Thursday, June 1, 2006 @ 1:28 pm