[GPC] [GPC-Mailbox] Fwd: Crawljax and OWASP Zed Attack Proxy

Jason Li jason.li at owasp.org
Thu Jun 28 04:12:22 UTC 2012

Skyler - thanks for the quick response and I hope that we can facilitate an
open dialogue between all parties. It's neither my intention nor desire for
you to simply drop ACT if it is using Crawljax in a manner that is
consistent with its open source license.

Ali - from Skyler's response below, it sounds like the ACT is very much in
the process of growing to more than just a wrapper of Crawljax and he
appears very willing to acknowledge the role Crawljax plays in the ACT

There appears to be a lot of issues and history at play. I trust that we
can all act in good faith and have a constructive dialogue to resolve any


On Wed, Jun 27, 2012 at 11:51 PM, Skyler Onken <skyler.onken at gmail.com>wrote:

> Jason,
> I have been trying to communicate with Mr. Mesbah with no response. In my
> communiques I have told him that such changes would be made, and noted that
> I have indeed granted appropriate credits to the Crawljax program from the
> onset of the Fuzzops-NG project, and the ACT project which falls within
> that scope. From my first blog post (
> http://securityreliks.securegossip.com/2011/10/its-alive-and-so-am-i/) to
> all project discussions never has anything been portrayed except what ACT
> does and its strong dependency on Crawljax.
> I have also explained to Mr. Mesbah how the ACT is a module for a larger
> effort which is a rewrite of a previously existing project. The Fuzzops
> project being an attempt to fully automate the fuzzing of web applications
> and web services.  I imagine that at the onset of the Crawljax project it
> looked like little more than a wrapper to the Selenium library.I would hope
> that Mr. Mesbah would then also give recognition to the Selenium project in
> the same degree from which he expects from the ACT project; seeing as we
> used Crawljax documentation as an example in our own crediting of
> dependencies, i would say their current crediting is therefore
> insufficient. However, I do recognize the limited requirements of such
> crediting under the Apache license and don't see anything morally wrong
> with what they currently display.
> There seems to be an issue with the term "tool". Perhaps their is a lack
> of exposure to the security field to understand that Crawljax on its own is
> neither dynamic nor clear enough on its own to be used practically by a
> large majority of security professionals. In fact, I would state that
> Crawljax is more of a library than a tool on its own. In no way does this
> diminish from the breakthroughs of the Crawljax project. the ACT module was
> submitted to OWASP because of its clear benefit to the community in
> exposing the Crawljax functionality in an easy to use manner.
> That being recognized, the issue seems to be the amount or degree of
> recognition being granted to Crawljax from the ACT resources is not
> satisfactory and is perceived as distracting public support from the
> Crawljax project.  In reality ACT has already shown to have benefited the
> Crawljax project in terms of popularity and contributors. It has even led
> to GSoC students contributing to the code base, something that the Crawljax
> project has either not been capable of or interested in doing on its own.
> Ironically it seems that this ACT generated activity has offended Mr.
> Mesbah enough for him to feel morally justified in taking such a pejorative
> and accusatory tone while not responding to my communications. Overall I
> feel the tone has been quite self-serving and unprofessional.
> I have honored Mr. Mesbah's request and have removed the ACT source from
> its public repository. I would expect the courtesy of no others
> republishing or reusing my code in any degree specifically the custom
> modules. I apologize for whatever issues this may present for the GSoC
> students. This whole thing seems to be quite contrary to the true spirit of
> open source and its regrettable to see it. I will leave the latest jar
> available for download, but will also remove those if that too offends the
> Crawljax community.
> Skyler
> On Jun 27, 2012, at 10:32 PM, Jason Li wrote:
> Ali - thanks for bring this to our attention. As a volunteer organization,
> we don't have the bandwidth to track the status of each individual project
> and so we depend on folks like you to raise any concerns. As an
> organization where all of our content is open, we certainly preach
> open-source ideals and principles. I hope that we can all come together in
> that spirit and start a dialogue to address your concerns.
> Skyler - please see the thread below regarding the AJAX Crawling Tool. As
> an open source project that heavily leverages another open source project,
> I think it would be courteous to acknowledge the role Crawljax plays in
> your project. I also think it may be appropriate to modify the description
> of your project to accurately reflect your project. As I mentioned, OWASP
> and the GPC do not have the bandwidth to dive into the technical details of
> every project, so I am not intimately familiar with the function or
> implementation of your project. If ACT functions as a simple wrapper to
> Crawljax, then perhaps we should change the description to say as such. If
> your project augments/supplements the functionality of Crawljax or does
> other things independent of Crawljax, then perhaps we should change the
> description to clarify this functionality. Do you agree?
> Thanks to Ali, Skyler and Simon for starting this dialogue.
> -Jason
> On Tue, Jun 26, 2012 at 7:13 PM, Ali Mesbah <amesbah at ece.ubc.ca> wrote:
>>  Dear OWASP Committee Members,
>> I am a professor at UBC and the main inventor of Crawljax, the first
>> publically available tool capable of crawling Ajax applications.
>> It was just brought to our attention (see email below) that the ACT tool,
>> which is also an OWASP project now, is simply putting a UI on top of
>> Crawljax (see crawljac.com) and releasing it as a new Ajax crawling
>> tool, without giving any credit to Crawljax.
>> Crawljax is the result of years of research and development (as evidenced
>> by the long list of scientific publications (
>> http://crawljax.com/documentation/publications/) and I don't think it is
>> morally justifiable for other people to claim they have a tool capable of
>> crawling Ajax, while all the are doing is putting a thin layer of UI on top
>> of a complex crawling engine. ACT certainly does not deserve to be an OWASP
>> project as such.
>> Thank you for your kind consideration,
>> Ali Mesbah
>> --
>> Ali Mesbah, Ph.D., P.Eng.
>> University of British Columbiahttp://ece.ubc.ca/~amesbah/
>> -------- Original Message --------  Subject: Crawljax and OWASP Zed
>> Attack Proxy  Date: Tue, 26 Jun 2012 10:23:09 +0100  From: psiinon
>> <psiinon at gmail.com> <psiinon at gmail.com>  To: amesbah at ece.ubc.ca  CC: Guifre
>> Ruiz Utges <guifre.ruiz at gmail.com> <guifre.ruiz at gmail.com>
>> Hi Ali,
>> cc Guifre,
>> I'm the project lead for the OWASP Zed Attack Proxy<http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project>(ZAP).
>> ZAP is a free, open source tool for pentesting webapps and a flagship
>> OWASP project.
>> Wherever possible we always try to reuse high quality open source
>> components rather than reinventing the wheel.
>> And we always fully credit<http://code.google.com/p/zaproxy/wiki/HelpCredits>all contributions and 3rd party projects:)
>> Guifre is working on a Google Summer of Code project
>> <http://code.google.com/p/zaproxy/wiki/GSoC2012>to improve ZAPs ability
>> to crawl Ajax applications, initially by enhancing the integration between
>> ZAP and another OWASP project (the Ajax Crawling Tool<https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool>/ ACT).
>> What I didnt realize (until Guifre started looking into it) is that ACT
>> is a GUI for Crawljax.
>> So I just wanted to reach out to you, explain what we're doing and
>> hopefully ensure that you're happy with us integrating Crawljax with ZAP.
>> Also, Guifre has been delving into your code and has implemented some
>> changes which improves Crawljax's ability to crawl the wivet<http://code.google.com/p/wivet/>benchmarking project.
>> Will you be happy to consider including these enhancements?
>> If so, how would you like him to report them - via your group, bug
>> tracker or ??
>> Many thanks,
>> Simon Bennetts
>> --
>> OWASP ZAP: Toolsmith Tool of the Year 2011<http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/global-projects-committee/attachments/20120628/928b43ae/attachment-0001.html>

More information about the Global-projects-committee mailing list