Support for Single-Page Applications

A single-page application (SPA) is a web application that mimics the behavior of a desktop application, i.e., instead of loading a new page every time the user interacts with the application, it retrieves all necessary code (HTML, JS, CSS) with a single page load and dynamically rewrites the current page using Javascript and AJAX requests (to an API) as the user interacts with it.

A web scanner can only scan pages that it knows about, therefore, the first important job of a scanner is to crawl the web application in order to find all pages or all sections of the web application. The crawler feeds the scanner with pages to be scanned.

SPAs present a challenge to scanners, mainly because traditional crawlers don’t deal well with Javascript-rich applications. In order to crawl a SPA, the crawler needs to interpret and render JavaScript code, much like a modern browser.

Probely is able to scan SPAs from day 0, but there was a problem: when you add a target (domain) to Probely, it only scans pages within that target (domain). For those SPAs that call an API on another domain, Probely would leave those API calls out from the scanning phase.

We are happy to announce that today we added support for SPAs that call APIs on domains different from the target’s.

If you want to scan a SPA, all you have to do is, on the target’s settings, add the domains of the API. It’s that simple! If you need a specific header or cookie on all requests to the API, you can add it under the Custom Cookies or Custom Headers section, on the same page.

If you haven’t an account with Probely yet, click here to start your free trial.