Tuesday, May 30th, 2006

Sprajax – An Ajax Security Scanner

Category: Security, Utility

<>p> On the Pathfinder blog today, there’s a new entry about a new security offering for the Ajax community – Sprajax.

Sprajax is the first web security scanner developed specifically to scan AJAX web applications for security vulnerabilities. Denim Group, an IT consultancy specializing in web application security, recognized that there were no tools available on the market able to scan AJAX. AJAX allows web-based applications a higher degree of user-interactivity, a feature with growing popularity among developers.

He comments some on his experiences with the software, including some of the must-have software to get it running (C# and SQL server). He walks through a sample execution of a security audit on a remote site, but notes that there are a few problems with this “open source app”:

  • The tool only detects the Atlas framework. No Dojo, DWR, etc.
  • It only detects SOAP web services used by the Atlas framework. No REST, no framework specific calls.
  • It doesn’t scan the Javascript files for XHR calls, another place to find calls back to the server.

In his opinion, though, there’s really not that much that Sprajax has to offer the community.

Related Content:

Posted by Chris Cornutt at 8:24 am
12 Comments

+++--
3.4 rating from 32 votes

12 Comments »

Comments feed TrackBack URI

You can’t “scan” AJAX any more than you can scan regular expression function libraries. Not to mention, if it only scans Atlas framework apps, then call it an Atlas framework security scanner.

I call BS on that one (well, agree BS on that one).

Why even post something that useless? It looks like they just want investor money so they can get sucked into the MS network.

Comment by Shawn — May 30, 2006

An “Atlas” ajax security scanner would be more accurate. On reading “Denim Group,” I had to admit I kept expecting to see some jeans or something. ;)

More seriously however, “security” scanning around this stuff should be considered as a good thing – but I think it’d be beneficial to have something a little more generic (a la Firebug) which could watch any XHR stuff, regardless of API used. I wonder if some of the QA tools available (Selenium etc.) might be able to hook into this, as well.

Comment by Scott Schiller — May 30, 2006

Worst.
Post.
Ever.

Comment by Dan — May 30, 2006

I’ve noticed a certain correlation on Ajaxian between the quality of the tools and frameworks being reviewed and the favorability of the comments and ratings toward the posts that discuss or review them. So, even if someone does a service to the community and warns people off of a crappy tool (like I did here), the reaction is “crappy tool, crappy post.”

If you’d rather waste your own time debunking overhyped claims or checking out worthless tools, be my guest.

Comment by dkappe — May 30, 2006

I’ve noticed a certain correlation on Ajaxian between the quality of the tools and frameworks being reviewed and the favorability of the comments and ratings toward the posts that discuss or review them. So, even if someone does a service to the community and warns people off of a crappy tool (like I did here), the reaction is “crappy tool, crappy post.”

If you’d rather shoot the messenger and waste your own time debunking overhyped claims or checking out worthless tools, be my guest.

Comment by Dietrich Kappe — May 30, 2006

I bash the applications reviewed, not the actual review or reviewer. If I was inclined to correct grammer and critique writing style I would likely do so ever. Perhaps my worst post ever comment was taken the wrong way. I reason I peruse this site is for the reason you mentioned, to see what I can take from other peoples experiences, so I don’t have to spend as much effort myself.

To clarify, “Crappy tool”

Comment by Dan — May 30, 2006

I wrote the sprajax tool so I thought I would respond. That is a fair assessment of the tool in its current state. This is certainly an “alpha” release but work is progressing. Next up for sprajax:

-Remove requirement for SQL Server 2005 – this is a huge barrier to getting more folks using the tool and being able to look at historical scan data from a database is a lower priority at this point than making it easy to get up and running.

-Add support for the Google Web Toolkit. The interfaces for detecting, footprinting and then fuzzing frameworks need a little bit of work, but the goal is to make these fairly generic and modular so that it is easy to add support for additional AJAX toolkits. I suspect that once I have Atlas and GWT working it will be much easier to add support for DWR and others. And it should also be possible at this point to add more scanning for other non-framework-defined endpoints for additional fuzzing.

I would however disagree that looking for known exploits would be a better approach than the fuzzing sprajax does right now. Tools like Nessus and Nikto already serve this function quite well – they can tell you if your server is misconfigured or using out of date software. The point of sprajax is to try and find flaws in the custom code written using these frameworks so it exercises the application and analyzes request and response patterns. This approach is good for finding “technical” flaws in applications usually based on coding flaws and bad input handling, but isn’t very good at finding “logical” flaws in applications. Unfortunately there really aren’t any good tools for finding “logical” flaws in the design assumptions of applications other than manual inspection and design review. So we automate what we can…

Sprajax has a place in assessing the security of AJAX-enabled web applications. The press release might not have done a good job of pointing out its limitations – they never do ;) – but sprajax is still under development and its utility should grow over time.

Thanks,

–Dan

Comment by Dan Cornell — May 30, 2006

[...] Sprajax – An Ajax Security Scanner: ” On the Pathfinder blog today, there’s a new entry about a new security offering for the Ajax community – Sprajax. Sprajax is the first web security scanner developed specifically to scan AJAX web applications for security vulnerabilities. Denim Group, an IT consultancy specializing in web application security, recognized that there were no tools available on the market able to scan AJAX. AJAX allows web-based applications a higher degree of user-interactivity, a feature with growing popularity among developers. [...]

Pingback by Sprajax - An Ajax Security Scanner — May 30, 2006

Thanks Dan, I look forward to your software’s growth in this inportant area. It’s easy (and empowering) to thoroughly BLAM software even though it is realised primarily as an indication of forward thinking rather than a mission critical application you can use to automate your nuclear installation.

So much software is SO bad and so negligently presented, that ANY effort to present better software is to be encouraged.

Comment by steve — May 31, 2006

Thanks Dan, I look forward to your software’s growth in this inportant area. It’s easy (and empowering) to thoroughly BLAM software even though it is realised primarily as an indication of forward thinking rather than a mission critical application you can use to automate your nuclear installation.
*
So much software is SO bad and so negligently presented, that ANY effort to present better software is to be encouraged.

Comment by steve — May 31, 2006

[...] Ajaxian SecurityAjax security is on everyone s minds these days, whether it s just a simple internal application or a large, public-facing hulking app. Worrying about the security of your project is never a bad [...]

Pingback by Security » Customer Support - RealPlayer Security Updates — June 7, 2006

Hi,

I would like to introduce you to a new concept http://www.visualwebgui.com which eliminates most of AJAX soft spots by simply returning back to server based computing but still having a dynamic AJAX based UI.

Guy

Comment by Guy — April 9, 2007

Leave a comment

You must be logged in to post a comment.