[GPC] [GPC-Mailbox] Fwd: Crawljax and OWASP Zed Attack Proxy

Jason Li jason.li at owasp.org
Thu Jun 28 02:32:23 UTC 2012

Ali - thanks for bring this to our attention. As a volunteer organization,
we don't have the bandwidth to track the status of each individual project
and so we depend on folks like you to raise any concerns. As an
organization where all of our content is open, we certainly preach
open-source ideals and principles. I hope that we can all come together in
that spirit and start a dialogue to address your concerns.

Skyler - please see the thread below regarding the AJAX Crawling Tool. As
an open source project that heavily leverages another open source project,
I think it would be courteous to acknowledge the role Crawljax plays in
your project. I also think it may be appropriate to modify the description
of your project to accurately reflect your project. As I mentioned, OWASP
and the GPC do not have the bandwidth to dive into the technical details of
every project, so I am not intimately familiar with the function or
implementation of your project. If ACT functions as a simple wrapper to
Crawljax, then perhaps we should change the description to say as such. If
your project augments/supplements the functionality of Crawljax or does
other things independent of Crawljax, then perhaps we should change the
description to clarify this functionality. Do you agree?

Thanks to Ali, Skyler and Simon for starting this dialogue.


On Tue, Jun 26, 2012 at 7:13 PM, Ali Mesbah <amesbah at ece.ubc.ca> wrote:

>  Dear OWASP Committee Members,
> I am a professor at UBC and the main inventor of Crawljax, the first
> publically available tool capable of crawling Ajax applications.
> It was just brought to our attention (see email below) that the ACT tool,
> which is also an OWASP project now, is simply putting a UI on top of
> Crawljax (see crawljac.com) and releasing it as a new Ajax crawling tool,
> without giving any credit to Crawljax.
> Crawljax is the result of years of research and development (as evidenced
> by the long list of scientific publications (
> http://crawljax.com/documentation/publications/) and I don't think it is
> morally justifiable for other people to claim they have a tool capable of
> crawling Ajax, while all the are doing is putting a thin layer of UI on top
> of a complex crawling engine. ACT certainly does not deserve to be an OWASP
> project as such.
> Thank you for your kind consideration,
> Ali Mesbah
> --
> Ali Mesbah, Ph.D., P.Eng.
> University of British Columbiahttp://ece.ubc.ca/~amesbah/
> -------- Original Message --------  Subject: Crawljax and OWASP Zed
> Attack Proxy  Date: Tue, 26 Jun 2012 10:23:09 +0100  From: psiinon
> <psiinon at gmail.com> <psiinon at gmail.com>  To: amesbah at ece.ubc.ca  CC: Guifre
> Ruiz Utges <guifre.ruiz at gmail.com> <guifre.ruiz at gmail.com>
> Hi Ali,
> cc Guifre,
> I'm the project lead for the OWASP Zed Attack Proxy<http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project>(ZAP).
> ZAP is a free, open source tool for pentesting webapps and a flagship
> OWASP project.
> Wherever possible we always try to reuse high quality open source
> components rather than reinventing the wheel.
> And we always fully credit<http://code.google.com/p/zaproxy/wiki/HelpCredits>all contributions and 3rd party projects:)
> Guifre is working on a Google Summer of Code project
> <http://code.google.com/p/zaproxy/wiki/GSoC2012>to improve ZAPs ability
> to crawl Ajax applications, initially by enhancing the integration between
> ZAP and another OWASP project (the Ajax Crawling Tool<https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool>/ ACT).
> What I didnt realize (until Guifre started looking into it) is that ACT is
> a GUI for Crawljax.
> So I just wanted to reach out to you, explain what we're doing and
> hopefully ensure that you're happy with us integrating Crawljax with ZAP.
> Also, Guifre has been delving into your code and has implemented some
> changes which improves Crawljax's ability to crawl the wivet<http://code.google.com/p/wivet/>benchmarking project.
> Will you be happy to consider including these enhancements?
> If so, how would you like him to report them - via your group, bug tracker
> or ??
> Many thanks,
> Simon Bennetts
> --
> OWASP ZAP: Toolsmith Tool of the Year 2011<http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/global-projects-committee/attachments/20120627/9a630e7e/attachment.html>

More information about the Global-projects-committee mailing list