Scanning Single-page Applications in Base Settings

This topic describes single-page application (SPA) support for crawling and auditing the Document Object Model (DOM) of an application.

The Challenge of Single-page Applications

Developers use JavaScript frameworks such as Angular, Ext JS, and Ember.js to build SPAs. These frameworks make it easier for developers to build applications, but more difficult for security testers to scan those applications for security vulnerabilities.

Traditional sites use simple back-end server rendering, which involves constructing the complete HTML web page on the server side. SPAs and other Web 2.0 sites use front-end DOM rendering, or a mix of front-end and back-end DOM rendering. With SPAs, if the user selects a menu item, the entire page can be erased and recreated with new content. However, the event of selecting the menu item does not generate a request for a new page from the server. The content update occurs without reloading the page from the server.

With traditional vulnerability testing, the event that triggered the new content might destroy other events that were previously collected on the SPA for audit. Through its SPA support, the dynamic sensor offers a solution to the challenge of vulnerability testing on SPAs.

Configuring SPA Support

When SPA support is enabled, the DOM script engine finds JavaScript includes, frame and iframe includes, CSS file includes, and AJAX calls during the crawl, and then audits all traffic generated by those events.

To configure SPA support:

See Also

Configuring Base Settings Details