Sprajax is a web application scanner specifically designed for applications built using AJAX frameworks. It's a black box security scanner, which means that it doesn't need to be preconfigured with details of the target application. It works by first identifying the AJAX framework used, which helps it to create test cases with fewer false positives. Sprajax can also identify typical application vulnerabilities such as XSS and SQL injections. It first identifies the functions, and then fuzzes them by sending random values. Fuzzing is the process of sending multiple probes to the target and analyzing their behavior in order to detect when one of the probes triggers a vulnerability. The URL for OWASP Sprajax Project is https://www.owasp.org/index.php/Category:OWASP_Sprajax_Project.

Besides ACT and Sprajax, Burp Suite proxy and OWASP ZAP provide tools to crawl an AJAX website, but manually crawling the application is a major part of the reconnaissance process as the AJAX-based application may contain many hidden URLs which are only exposed if the logic of the application is understood.