Improved Crawling Support for Single Page Applications

Invicti web application security scanners now crawl URI fragments, which extends the scan coverage when scanning target urls that use fragments in routing and navigation.

Improved Crawling Support for Single Page Applications

In the latest March 2020 Update for Netsparker Standard 5.7, we added support for URI fragment crawling. This new capability provides support for crawling fragments, which increases the scan coverage for sites that use fragments for routing and navigation. 

A fragment is a part of a URI which is specified by a hash mark (#) at the end of the URI. It is usually used to quickly navigate to a specific section of the page

Let's look at an example. Suppose you had a heading element like this that represents a title:

<h1 id="title1">Contents</h1>

You could navigate to it using this link: http://example.com/#title1. However, in some web sites, the fragment is used for routing, for example: http://example.com/#page=foo.php. In those sites the value of the fragment affects the page that is being displayed, therefore it affects the scan coverage negatively when the fragment is ignored.

Previously, Netsparker used to ignore fragment part of the URI while crawling the website because it would cause crawling the same pages multiple times and degrade the scan performance. 

With this change, Netsparker is now able to crawl parameters on the URI fragments. Although attacking is not supported yet, we plan to implement it in future versions.

This feature is enabled by default in version 5.7.

For further information on other features in this release, see March Update for Netsparker Standard 5.7.