Web applications nowadays use AJAX features to provide a very comfortable interface to their users. XmlHttpRequest is the technique that is used to pull data from the server in the background.
Have you ever asked yourself how to track down security issues in your XmlHttpRequests without losing too much time? Well, Chorizo gives you the answer: the proxy mode. By using Chorizo! in this (preferred) mode, you can assure that every request your application makes (whether it is a XmlHttpRequest call or a Flash client that pulls data from a PHP script in the background) will be tracked by Chorizo! and thus scanned for security flaws.
There’s also a so-called „CGI browsing mode“ where you just enter the start URL of your site and then Chorizo! tries to rewrite all the links it can find in the HTML page, this CGI mode doesn’t give you the full advantage. Imagine you have JavaScript in your page that is building the links with variables etc. – Chorizo! can’t successfully rewrite all those links. If you combine the proxy mode together with the „Scan while browsing“ background scanning mode, you unlock the full potential with the application.
It might be interesting to note that the proxy itself was written in PHP :-) We measured it is able to make up to 100 scans/second. In order to secure your server for a DOS attack ;-), we implemented a heuristic that automatically reduces the number of parallel scans if the server doesn’t respond fast enough.
If you want to give it a try, here’s a sneak peak (screenshots!) about Morcilla, our upcoming server-side PHP extension which will only be available in the commercial accounts.