Edgescan has the ability to crawl & scan modern web technologies such as Single-Page Applications and APIs using a collection of proprietary engines that were build with depth, coverage & accuracy as their core objectives.
Version Number: v1.0.1
Published Date: 13 May 2024
____________________________________________________________________________
There is no major difference between Single Page Applications (SPA) and non-SPA websites, the major differences come in the discovery phase. You may have, on one end, a website that has very little dynamism on the client side and uses standard interactions between pages and between the client and the server. For these pages, a traditional crawler and scanner usually work well.
On the other end, you have a JavaScript-heavy website, using a non-standard interaction between pages and the server (e.g. all the HTML is loaded from JavaScript instead of following a standard link – an SPA – and the communication is not in a standard format – maybe a custom binary format in a WebSocket, or a custom AJAX request).
The further you go into the latter the more the challenges arise:
- How do we discover which endpoints there are? If there are no anchor tags, and everything is created dynamically, traditional spiders start to fail to find anything useful
- How do we discover which web service calls are made to fetch the data? With the non-dynamic website, there’s really no separation between getting the paths/HTML and the data. If you spider/crawl the application, you find both. When the website becomes more dynamic, you have now the challenge of finding not only which pages exist, but also which web services they call.
Highly dynamic websites rely more and more on a combination of testing techniques to get more comprehensive coverage of an application. These testing techniques loosely fall into the Application Security Testing (AST) domain and may be covered by a combination of Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST). As with all comprehensive security tests, there will be a level of manual effort involved in the setup and onboarding of an application regardless its architecture.
What is a single page application?
Single-page application (SPA) – is a web application that lives in a user’s browser and allows a user to interact without drawing new resources from a server each time a user makes a request. SPAs rewrite the user’s current resource rather than loading the resource from a server after each request. It is not uncommon for a SPA to be loaded into a user’s browser and additional information gets added dynamically added to the page based on user interactions. This is called dynamic loading.
What challenges does this present in security testing?
Edgescan has designed a comprehensive crawling & scanning engine for testing SPAs. The approach is using a combination of AST techniques which fall under the sub categories of SAST and DAST. This includes dynamically building out of all the potential interactions of a SPA and invoking tests for them using a combination of SAST and DAST technologies.