Scan Settings: JavaScript

To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings. Then, in the Scan Settings category, select JavaScript.

JavaScript Settings

The JavaScript analyzer allows Fortify WebInspect to crawl links defined by JavaScript, and to create and audit any documents rendered by JavaScript.

Tip: To increase the speed at which Fortify WebInspect conducts a crawl while analyzing script, change your browser options so that images/pictures are not displayed.

Configure the settings as described in the following table.

Option Description
Crawl links found from script execution

If you select this option, the crawler will follow dynamic links (i.e., links generated during JavaScript execution).

Verbose script parser debug logging

 If you select this setting AND if the Application setting for logging level is set to Debug, Fortify WebInspect logs every method called on the DOM object. This can easily create several gigabytes of data for medium and large sites.

Log JavaScript errors

Fortify WebInspect logs JavaScript parsing errors from the script parsing engine.
Enable JS Framework UI Exclusions With this option selected, the Fortify WebInspect JavaScript parser ignores common JQuery and Ext JS user interface components, such as a calendar control or a ribbon bar. These items are then excluded from JavaScript execution during the scan.
Max script events per page

Certain scripts endlessly execute the same events. You can limit the number of events allowed on a single page to a value between 1 and 9999. The default value is 1000.
Enable Site-Wide Event Reduction When this option is selected, the crawler and JavaScript engine recognize common functional areas that appear among different parts of the website, such as common menus or page footers. This eliminates the need to find within HTML content the dynamic links and forms that have already been crawled, resulting in quicker scans. This option is enabled by default and should not normally be disabled.
SPA Support

SPA support applies to single-page applications. When enabled, the DOM script engine finds JavaScript includes, frame and iframe includes, CSS file includes, and AJAX calls during the crawl, and then audits all traffic generated by those events.

Options for SPA support are:

  • Automatic - If Fortify WebInspect detects a SPA framework, it automatically switches to SPA-support mode.

  • Enabled - Indicates that SPA frameworks are used in the target application.

    Caution! SPA support should be enabled for single-page applications only. Enabling SPA support to scan a non-SPA website will result in a slow scan.

  • Disabled - Indicates that SPA frameworks are not used in the target application.

For more information, see About Single-page Application Scans.

See Also

Scan Settings: Allowed Hosts

Scan Settings: Authentication

Scan Settings: Cookies/Headers

Scan Settings: File Not Found

Scan Settings: Filters

Scan Settings: General

Scan Settings: HTTP Parsing

Scan Settings: Method

Scan Settings: Policy

Scan Settings: Proxy

Scan Settings: Requestor

Scan Settings: Session Exclusions

Scan Settings: User Agent