How does it work?
Users with Infrastructure licenses
As the name suggests, the license primarily works on the infrastructure level and checks for a wide variety of vulnerabilities. For example, if you've accidentally exposed your application's database to the internet; forgotten to apply security patches to your web server; or uploaded your code repository to your website root directory – the scanner should catch it.
Users with Application licenses
The scanning engine associated with authenticated scanning works slightly differently. It handles SPAs by fetching the application and running it within a headless browser; it then manipulates the Document Object Model (DOM) and attempts to follow any links it finds – recording a list of paths and parameters for further analysis.
If you have an API Schema for your Single Page Application, then adding this to the application on the Target's Detail Page can improve the overall scanning ability and ensure all your endpoints are scanned. To do this, follow the instructions in this article.
Are there any limitations when scanning SPAs?
Yes, there are limitations when it comes scanning SPAs. For example:
The more complex and abnormal the SPA (behaviour that is against standard norms/specs), the less likely it is for the scanner to succeed in interacting with it. As you’d expect, this can have a direct impact on the coverage and what’s detected by the scanner – but that’s true of most automated scanners on the market today – they find it difficult to navigate and understand how to operate SPAs.
It's also worth noting that we may not be able to crawl SPAs which use Local Storage to present an authenticated page, as we don't currently (v1.0) support the configuration of Local Storage within our headless browser.
At this time (v1.0) our scans are scoped to the target on which you add your authentication. That means that if you add an authentication to
portal.intruder.iothe scan will not crawl to pages on
internal-api.intruder.io. This can cause issues for some single-page applications which use multiple endpoints; a possible workaround would be adding an authentication to each domain/hostname that you wish to be scanned.
If the scans are unsuccessful the first time around, it's worth adding an API Schema to your target and scanning again (if this is possible) as this greatly improves the scanning ability of SPAs.
Regardless of whether your web applications are single-page or not – we’d recommend trying out a free trial (if you haven't already) – it may still surprise you to see what we find!