All Collections
External vulnerability scanning
Can Intruder Scan Single-Page Applications?
Can Intruder Scan Single-Page Applications?
How does Intruder fare when vulnerability scanning SPAs?
Updated over a week ago

How does it work?

Users with Infrastructure licenses

As the name suggests, the license primarily works on the infrastructure level and checks for a wide variety of vulnerabilities. For example, if you've accidentally exposed your application's database to the internet; forgotten to apply security patches to your web server; or uploaded your code repository to your website root directory – the scanner should catch it.

Users with Application licenses

The scanning engine associated with authenticated scanning works slightly differently. It handles SPAs by fetching the application and running it within a headless browser; it then manipulates the Document Object Model (DOM) and attempts to follow any links it finds – recording a list of paths and parameters for further analysis.

If you have an API Schema for your Single Page Application, then adding this to the application on the Target's Detail Page can improve the overall scanning ability and ensure all your endpoints are scanned. To do this, follow the instructions in this article.

Are there any limitations when scanning SPAs?

Yes, there are limitations when it comes scanning SPAs. For example, the more complex and abnormal the SPA (behaviour that is against standard norms/specs), the less likely it is for the scanner to succeed in interacting with it. As you’d expect, this can have a direct impact on the coverage and what’s detected by the scanner – but that’s true of most automated scanners on the market today – they find it difficult to navigate and understand how to operate SPAs.

It's also worth noting that we may not be able to crawl SPAs which use Local Storage to present an authenticated page, as we don't currently (v1.0) support the configuration of Local Storage within our headless browser.

If the scans are unsuccessful the first time around, it's worth adding an API Schema to your target and scanning again (if this is possible) as this greatly improves the scanning ability of SPAs.

Regardless of whether your web applications are single-page or not – we’d recommend trying out a free trial (if you haven't already) – it may still surprise you to see what we find!

Did this answer your question?