Last Friday Groundspeed passed the Mozilla review to become a ‘public’ add-on. This basically means there will be no more install ‘malware danger’ warnings and users with older versions should be prompted to update to the most recent version.

I am impressed with the speed of the review by the Add-on Editors team, it took less than a week to complete. I am sure they have a lot of work so it’s great that they can be able to move things with so much efficiency. I am seriously thinking about volunteering some time to the review process.

Groundspeed just passed the 3,000 download mark this weekend. It’s an average of about 29 downloads a day since it came out last November! The single day with most downloads was Jan 27, with 343 downloads, or one download every 5 minutes.

Most of Groundspeed users seem to be in the United States (61%), the UK and Germany tie for the second with 7% followed by Spain (6%), France (5%) and Brazil (2%).

It’s surprising and nice to see so many people interested! If you have installed groundspeed and have comments, suggestions or bug reports, send me an email or leave a comment here!

When we manually test web applications we tend to treat all input data the same way. We set up an HTTP proxy, we intercept requests and manipulate them.

But interesting data, from the perspective of the penetration tester, can come from very different places in the client side: HTML forms in the user interface, client-side JavaScript code, hard-coded query strings in the HTML, cookies or other HTTP headers, etc.

Think about how painful it can be to perform manual test on an AJAX application using only an HTTP proxy. Most of the requests are asynchronous and it is hard to understand the data they contain. However it is much easier to work directly at the JavaScript layer using a debugger like Firebug because reading the code associated to the AJAX requests provide the context we are missing to understand the data.

Client side HTTP proxies are “catch all” tools, they work for all types of input data because everything goes to the server via HTTP. Maybe there are opportunities to improve the testing if we consider more the nature of the input data. We could think about new tools that would be better integrated into the client-side process instead of sitting in front of it, waiting to intercept the raw HTTP traffic as it leaves the browser.