How does it work?
Users with Infrastructure licenses
As the name suggests, the license primarily works on the infrastructure level and checks for a wide variety of vulnerabilities. For example, if you've accidentally exposed your application's database to the internet, forgotten to apply security patches to your web server, or uploaded your code repository to your website root directory, the scanner should catch it.
Users with Application licenses
ℹ️ Note: If your web application makes requests to a different subdomain or cross-domain, please check out our "Adding allowed domains for web application scans" article.
The scanning engine associated with authenticated scanning works slightly differently. It handles SPAs by fetching the application and running it within a headless browser. It then manipulates the Document Object Model (DOM) and attempts to follow any links it finds, recording a list of paths and parameters for further analysis.
If you have an API Schema for your single-page application, then adding this to the application on the Target's Detail Page can improve the overall scanning ability and ensure all your endpoints are scanned. To do this, follow the instructions in this article.
Are there any limitations when scanning SPAs?
We utilise two capable spiders, which have a great success rate when scanning SPAs, so you should find great success scanning your SPA. However, there are some factors to consider:
The more complex and abnormal the SPA (behaviour that is against standard norms/specs), the less likely it is for the scanner to succeed in interacting with it. As you’d expect, this can have a direct impact on the coverage and what’s detected by the scanner, but that’s true of most automated scanners on the market today – they find it difficult to navigate and understand how to operate SPAs.
It's also worth noting that we may experience some difficulties crawling SPAs that use Local Storage to present an authenticated page, as we don't currently (v1.2) support the configuration of Local Storage within our headless browser.
At this time (v1.2), our scans are scoped to the target on which you add your authentication, and the network requests of any additional cross-domains or subdomains specified in your target's authentication method. Please check out our "Adding allowed domains for web application scans" article to learn how to add additional cross-domains and subdomains to your target's authentication method.
If the scans are unsuccessful the first time around, it's worth adding an API Schema to your target and scanning again (if this is possible), as this greatly improves the scanning ability of SPAs.
Regardless of whether your web applications are single-page or not, we’d recommend trying out a free trial (if you haven't already) – it may still surprise you to see what we find!