Single Page Application (SPA) Security Scanning
SPAs (Single Page Applications) are a relatively new approach to building web applications which leverage client-side scripting and asynchronous HTTP requests to deliver faster transitions in response to user interactions. The promise of SPAs is the delivery of dynamic web-based applications that mimic the “feel” of native applications that run locally on a device. The popularity of SPAs has soared in recent years as clients familiar with native apps demand the same performance from web applications. The model has been used to power major websites such as Netflix, PayPal, and Google Maps.
But new paradigms mean new security challenges. Legacy scanners that depend upon web applications implementing a traditional stateless page-redraw model underperform significantly when tasked with scanning SPAs that leverage rich client-side scripting and make heavy use of API calls for resource retrieval.
SPAs require different security assessment techniques, a different mindset, and a different approach. Ensuring that Single Page Applications are suitably covered, secured and robust, SPA-specific vulnerability scanning needs to be a key priority for any organisation that operates a modern web presence. The AppCheck scanner has been developed by in-house, expert penetration testers. It can natively navigate, and contextually and intelligently scan, SPAs. It does so in the exact same, context-aware manner as a penetration testing expert would and using the same advanced and battle-tested methodologies.
How does SPA Web App Scanning work?
AppCheck implements a proprietary scan engine specifically dedicated to SPA scanning. Developed in-house, the scan engine uses a headless browser to natively execute and intercept all client-side scripting interactions and API responses, enabling it to contextually navigate and scan even the most complex Single Page Applications.
When driving the application through a browser, the scanner applies various crawling styles suitable for modern applications: for example it may use heuristics to identify the key menu navigation components of a given web application, which allows it to focus on broad navigation; or it may focus attention on form-based user input to perform page-local navigation; or it may employ more basic techniques more akin to traditional link scraping (though instead through the browser) to ensure good coverage of an application’s attack surface. Constant improvement to our crawling technology is a key focus of research at AppCheck, as we push the effectiveness of automated scanning to the limits.
Benefits of AppCheck
Incorporates a full client-side stack built on a headless browser to natively execute and assess client-side scripting – delivering deeper and richer capabilities to detect weaknesses in client-side logic or reliance upon client-only validation than scanners built using synthetic modelling techniques.
Implements proprietary logic developed in house to deliver comprehensive test coverage that provides detection of all OWASP Top 10 Web Application Security Weaknesses – with specific SPA coverage – including Cross-Site Scripting (XSS), Broken Access Control, and Data Exposure weaknesses.
Ability to programmatically interact with and trigger all DOM events within SPAs, manipulating actions and monitoring for weaknesses in SPAs written using common JavaScript frameworks including AngularJS, Ember.js, Meteor.js, and Knockout.js.
Whether you just want to run a quick scan or are a power user who needs ultimate control, AppCheck allows complete flexibility. Scans can be run in a few clicks using profiles built by our security experts or built from scratch using the profile editor.
Lightweight and user-focused proprietary scripting language, dubbed “GoScript”, developed entirely in-house and which can be leveraged to direct the scanner’s interaction with an SPA within the headless browser, in order to navigate complex multi-stage navigation and authentication flows which may be required to access screened portions of the application that other scanners simply cannot reach.
Catch vulnerabilities early to avoid costly mistakes. Continuous assurance from automated scanning repeated as often as every code deploy. Quicker fixes take the strain off your team and shorten the attack window.
AppCheck gives us the ability to quickly identify vulnerabilities and zero days, and to provide assurance to the business.
Why choose AppCheck?
More basic vulnerability scanners may solely identify CVEs – common cybersecurity vulnerabilities that are identified based on recognised patterns and software versions. However, AppCheck’s web application scanner is designed by experienced penetration testers, making it more thorough and accurate at identifying complex issues.
The AppCheck crawling engine uses a combination of application modelling techniques and subtle heuristic cues to automatically discover the complete attack surface of any given application in the shortest time possible. The algorithms are designed to model how a penetration tester or attacker would explore the application, to detect subtle vulnerabilities that other tools often miss and opening up attack vectors that are inaccessible to less sophisticated crawlers.
Trusted by hundreds of brands worldwide
