Single-Page Applications (or SPAs) are becoming increasingly common and offer many advantages. But, just like any other application, they should be scanned for vulnerabilities. Before queueing up HawkScan and hitting run, you will want to break up your scan. And here is why.
Scanning SPAs
When scanning a Single Page Application, it is essential to consider its two sides. The front end of your App, where the majority of user interaction occurs. And the back end of your App, where all the actual actions are being made for it to function.
These two sides of your application are quite different in terms of how they should be scanned and their potential vulnerabilities. Because of this, breaking it up into separate Front-End and Back-End scans allows you to be more specific and tailor the scanner for each side of your application.
Scanning the Front End
The front end of Single Page Applications is usually relatively simple compared to the API behind it. Often, there is very little to no Authentication required to scan the front end, and it typically can be scanned in its entirety with the crawling of HawkScans Base or Ajax Spiders.
Because the front end of a Single Page Application is not processing any data, the vulnerabilities that typically live within it are not severe and oftentimes are site-wide vulnerabilities that expand outside of the app itself.
Scanning the API
Scanning the API (or Back-End) of your Single Page Application requires a little more heavy lifting. This is where the application is taking action and making requests to a server. A more intensive authentication flow will be required for the scanner to run tests, and a more specific means for path discovery will be needed. This is where something like an Open API Specification can be used to supplement found paths.
Check out our guides on Authenticated Scanning here!
Scanning the API of your Single Page Application is more likely to produce higher-risk results, as this is where sensitive data is handled. Ensuring that you effectively and accurately scan this portion of your application is critical to finding important vulnerabilities.
Additional Resources
While breaking up your SPA scans by it's front and back ends is pretty straightforward. We completely understand if you have more questions and we are happy to help! Please don't hesitate to contact our support team!
You can contact us by emailing support@stackhawk.com or by using the chat widget on our website!