A Single-Page Application (SPA) is a web application where the contents of the displayed page are updated dynamically as a result of API calls, as opposed to replacing it with an entirely new page as happens in conventional web-sites.
When it comes to web application scanning, there are two factors to be considered if your target is an SPA:
- The scanner needs to build a map of events (usually JavaScript interactions which trigger API calls), not just a map of pages. This can involve multi-stage processes, where by a series of events must be repeated in a particular order, with particular payloads, in order to access a given resource.
- The scan will need to target not just the front-end web site, but also the API(s) which receive requests from the application's users.
The first point is a challenge to many automated scanners, but is handled automatically for you in AppCheck simply by using our Standard or Single-Page Application scan profile. You'll find this under Web Application when selecting a profile for your new scan. This profile uses AppCheck's cutting-edge crawling engine specifically designed to understand event-based applications as well as conventional ones.
The second point is addressed by including all relevant URLs in a scan using our Standard or Single-Page Application scan profile. For an SPA to function, requests to the front-end and to the API(s) must happen from the same context, such as the same tab in the user's web browser. Selecting our Standard or Single-Page Application scan profile ensures that the same thing happens within the web application scan process.
This technique can also be used to scan applications which may not strictly fall under the definition of SPA, but where either of the considerations above are relevant. This means essentially any application where the user's browser makes calls to an API. Since there is no downside to this approach, the Standard or Single-Page Application scan profile is our recommendation for most web application scans.
Creating an SPA Scan
Create a Web Application Scan
Follow the guide to create a web application scan for your front-end application.
Add the APIs as Web Application Scan Targets
If your API endpoints are on a different domain from the front-end then they will not be considered part of the front-end application scan target (see Application Scan Targets, Scope, Seeded Targets and Denied Targets for a thorough explanation of scan targets). Therefore you will need to add a second web application scan target to the scan, this time using the root URL of your API.
For example, if your web application scan contains the target https://www.example.com but your API endpoints begin with https://api.example.com then add https://api.example.com as a second scan target.
If your API endpoints are on the same domain as the front-end (just in their own path), for example https://www.example.com/api/, then they will already be included in the scope of the scan (as children of the initial target https://www.example.com), so nothing else is required.
Save and Run Your Scan
You have now configured a Single-Page Application scan. You can now save the scan and run/schedule it as required.
Comments
0 comments
Article is closed for comments.