Sprajax README

Introduction

Sprajax is an open-source tool for assessing the security of AJAX-enabled web applications.  Sprajax-specific code has been released under the GNU Lesser GPL (LGPL).  Code for supporting libraries (C# spider and Dynamic WebServices Library) is released under the licenses outlined in their source code directories.  Code from other projects is used pursuant to their licenses and is used without the endorsement of the original authors.

For more information about sprajax, please check out the official sprajax page: http://www.denimgroup.com/sprajax/

Also, I talk about sprajax issues pretty frequently on the Denim Group blog: http://denimgroup.typepad.com/

Contents

The sprajax deployment package contains code and binaries for the sprajax tool, supporting libraries, as well as an example Microsoft Atlas AJAX-enabled application.

README.doc

This document.

DenimGroup.Sprajax Folder

This contains the main sprajax Visual Studio .NET solution.  The database projects contained need to be installed into a SQL Server 2005 database and the connection string can be entered on the main sprajax screen.

DenimGroup.Sprajax.DemoSite

This contains a demonstration Microsoft Atlast AJAX-enabled web application that helps to illustrate the capabilities of the Sprajax tool.

cssspider Folder

This contains the source and binaries for the modified C# Spider adapted from the work of  Jeff Heaton (www.jeffheaton.com).  This spider code is the basis for the footprinting functionality in sprajax.

DWSL1.5_DotNET20 Folder

This contains the source and binaries for the modified Dynamic Web Services Library adapted from the work of Christian Weyer of Thinktecture (www.thinktecture.com).  This web services code is the basis for the calls made to web services when fuzzing Microsoft Atlas AJAX applications.

DenimGroup.Sprajax.GWT.DemoSite

This contains a prototype Google Web Toolkit (GWT) application, but this is not finished and GWT support is still not operational.

Getting Started

1. Install the database scripts from the DenimGroup.Sprajax VS.NET solution and stored procedures into a SQL Server 2005 database.  Determine the database connection string because it will be needed later.
2. Change the connection string in the DenimGroup.Sprajax.DemoSite
3. Run the DenimGroup.Sprajax.DemoSite project
4. Run the DenimGroup.Sprajax project
5. Change the connection string in the sprajax tool
6. Change the URL (if required) to match the location where the DenimGroup.Sprajax.DemoSite web application
7. Click the "Footprint Application" button and wait for sprajax to footprint the web application.  This involved spidering the application and may take a minute or so depending on the size of the application
8. Click the "Fuzz Application" button and wait for sprajax to fuzz the web services.  This may take quite a while depending on the number of web services being fuzzed and Visual Studio may give STA threading warnings (have to work on those…)
9. When sprajax finishes fuzzing the web services, click the "Show Results" button to see the JavaScript files found, Atlas frameworks detected as well as the web services, methods and parameters available in support of AJAX functionality.  View the data grid at the bottom to see calls that caused exceptions along with the input parameters.  Look at the exception messages and stack traces to diagnose potential security flaws in the target application.

Known Issues

• The actual AJAX-y behavior of the example site is all screwed up right now, but sprajax can still detect all the constructs and fuzz them as required.
• STA threading warning occur (and the UI temporarily freezes up) when running the fuzzing routines.  I need to clean this up.
• Requiring a SQL 2005 database is a pain, so in the next version there will be a data handler for single-session-only results that won't require a database backend.

Email dan@denimgroup.com with patches, suggestions or questions.