All Collections
External vulnerability scanning
Can Intruder Scan Single-Page Applications?
Can Intruder Scan Single-Page Applications?

How does Intruder fare when vulnerability scanning SPAs?

Naomi Purvis avatar
Written by Naomi Purvis
Updated over a week ago

How does it work?

Users with Infrastructure licenses

As the name suggests, the license primarily works on the infrastructure level and checks for a wide variety of vulnerabilities. For example, if you've accidentally exposed your application's database to the internet; forgotten to apply security patches to your web server; or uploaded your code repository to your website root directory – the scanner should catch it.

Users with Application licenses

The scanning engine associated with authenticated scanning works slightly differently. It handles SPAs by fetching the application and running it within a headless browser; it then manipulates the Document Object Model (DOM) and attempts to follow any links it finds – recording a list of paths and parameters for further analysis.

If you have an API Schema for your Single Page Application, then adding this to the application on the Target's Detail Page can improve the overall scanning ability and ensure all your endpoints are scanned. To do this, follow the instructions in this article.

Are there any limitations when scanning SPAs?

We utilise two capable spiders which have a great success rate when scanning SPAs, so you should find great success scanning your SPA. However, there are some factors to consider:

  • The more complex and abnormal the SPA (behaviour that is against standard norms/specs), the less likely it is for the scanner to succeed in interacting with it. As you’d expect, this can have a direct impact on the coverage and what’s detected by the scanner – but that’s true of most automated scanners on the market today – they find it difficult to navigate and understand how to operate SPAs. ​

  • It's also worth noting that we may experience some difficulties crawling SPAs which use Local Storage to present an authenticated page, as we don't currently (v1.0) support the configuration of Local Storage within our headless browser.

  • At this time (v1.0) our scans are scoped to the target on which you add your authentication. That means that if you add an authentication to the scan will not crawl to pages on This can cause issues for some single-page applications which use multiple endpoints; a possible workaround would be adding authentication to each domain/hostname that you wish to be scanned.

If the scans are unsuccessful the first time around, it's worth adding an API Schema to your target and scanning again (if this is possible) as this greatly improves the scanning ability of SPAs.

Regardless of whether your web applications are single-page or not – we’d recommend trying out a free trial (if you haven't already) – it may still surprise you to see what we find!

Did this answer your question?