Single Page Application (SPA) Security Scanning
SPAs (Single Page Applications) are a relatively new approach to building web applications which leverage client-side scripting and asynchronous HTTP requests to deliver faster transitions in response to user interactions. The promise of SPAs is the delivery of dynamic web-based applications that mimic the “feel” of native applications that run locally on a device. The popularity of SPAs has soared in recent years as clients familiar with native apps demand the same performance from web applications. The model has been used to power major websites such as Netflix, PayPal, and Google Maps.
But new paradigms mean new security challenges. Legacy scanners that depend upon web applications implementing a traditional stateless page-redraw model underperform significantly when tasked with scanning SPAs that leverage rich client-side scripting and make heavy use of API calls for resource retrieval.
SPAs require different security assessment techniques, a different mindset, and a different approach. Ensuring that Single Page Applications are suitably covered, secured and robust, SPA-specific vulnerability scanning needs to be a key priority for any organisation that operates a modern web presence. The AppCheck scanner has been developed by in-house, expert penetration testers. It can natively navigate, and contextually and intelligently scan, SPAs. It does so in the exact same, context-aware manner as a penetration testing expert would and using the same advanced and battle-tested methodologies.
How does SPA Web App Scanning work?
AppCheck implements a proprietary scan engine specifically dedicated to SPA scanning. Developed in-house, the scan engine uses a headless browser to natively execute and intercept all client-side scripting interactions and API responses, enabling it to contextually navigate and scan even the most complex Single Page Applications.
When driving the application through a browser, the scanner applies various crawling styles suitable for modern applications: for example it may use heuristics to identify the key menu navigation components of a given web application, which allows it to focus on broad navigation; or it may focus attention on form-based user input to perform page-local navigation; or it may employ more basic techniques more akin to traditional link scraping (though instead through the browser) to ensure good coverage of an application’s attack surface. Constant improvement to our crawling technology is a key focus of research at AppCheck, as we push the effectiveness of automated scanning to the limits.
Benefits of AppCheck
AppCheck gives us the ability to quickly identify vulnerabilities and zero days, and to provide assurance to the business.
Why choose AppCheck?
More basic vulnerability scanners may solely identify CVEs – common cybersecurity vulnerabilities that are identified based on recognised patterns and software versions. However, AppCheck’s web application scanner is designed by experienced penetration testers, making it more thorough and accurate at identifying complex issues.
The AppCheck crawling engine uses a combination of application modelling techniques and subtle heuristic cues to automatically discover the complete attack surface of any given application in the shortest time possible. The algorithms are designed to model how a penetration tester or attacker would explore the application, to detect subtle vulnerabilities that other tools often miss and opening up attack vectors that are inaccessible to less sophisticated crawlers.