Scanning Single-page Applications
This topic describes single-page application (SPA) support for crawling and auditing the Document Object Model (DOM) of an application.
The Challenge of Single-page Applications
Developers use JavaScript frameworks such as Angular, Ext JS, and Ember.js to build SPAs. These frameworks make it easier for developers to build applications, but more difficult for security testers to scan those applications for security vulnerabilities.
Traditional sites use simple back-end server rendering, which involves constructing the complete HTML web page on the server side. SPAs and other Web 2.0 sites use front-end DOM rendering, or a mix of front-end and back-end DOM rendering. With SPAs, if the user selects a menu item, the entire page can be erased and recreated with new content. However, the event of selecting the menu item does not generate a request for a new page from the server. The content update occurs without reloading the page from the server.
With traditional vulnerability testing, the event that triggered the new content might destroy other events that were previously collected on the SPA for audit. Through its SPA support, the dynamic sensor offers a solution to the challenge of vulnerability testing on SPAs.
Configuring SPA Support
When SPA support is enabled, the DOM script engine finds JavaScript includes, frame and iframe includes, CSS file includes, and AJAX calls during the crawl, and then audits all traffic generated by those events.
To configure SPA support:
-
Under Single-Page Applications on the Details page, select one of the following options:
-
Automatic - If the sensor detects a SPA framework, it automatically switches to SPA-support mode.
-
Disabled - Indicates that SPA frameworks are not used in the target application.
-
Enabled - Indicates that SPA frameworks are used in the target application.
Caution! Enable SPA support for single-page applications only. Enabling SPA support to scan a non-SPA website results in a slow scan.
-
See Also