About Single-page Application Scans
This topic describes single-page application (SPA) support for crawling and auditing the Document Object Model (DOM) of an application.
The Challenge of Single-page Applications
Developers use JavaScript frameworks such as Angular, Ext JS, and Ember.js to build SPAs. These frameworks make it easier for developers to build applications, but more difficult for security testers to scan those applications for security vulnerabilities.
Traditional sites use simple back-end server rendering, which involves constructing the complete HTML web page on the server side. SPAs and other “Web 2.0” sites use front-end DOM rendering, or a mix of front-end and back-end DOM rendering. With SPAs, if the user selects a menu item, the entire page can be erased and recreated with new content. However, the event of selecting the menu item does not generate a request for a new page from the server. The content update occurs without reloading the page from the server.
With traditional vulnerability testing, the event that triggered the new content might destroy other events that were previously collected on the SPA for audit. Through its SPA support, WebInspect offers a solution to the challenge of vulnerability testing on SPAs.
Enabling SPA Support
When you enable SPA support, the DOM script engine finds JavaScript includes, frame and iframe includes, CSS file includes, and AJAX calls during the crawl, and then audits all traffic generated by those events.
You can enable SPA support in the scan settings or in Guided Scan.
Caution! SPA support should be enabled for single-page applications only. Enabling SPA support to scan a non-SPA website will result in a slow scan.
See also