Scanning Single Page Applications
The scanning approach for single-page applications leverages a dedicated DOM parser, designed to ensure thorough coverage for modern web apps that rely on complex JavaScript interactions. The DOM parser simulates user actions, such as mouse clicks and hovers, to detect changes within the application. This enables Invicti Enterprise to track modifications triggered by user interactions, like button presses or form submissions, and include them in the scan.
Invicti Enterprise also handles form submissions automatically, even for those using client-side scripts. By filling out and submitting forms based on pre-configured rules in the Scan Policy settings, it can bypass client-side security measures, enabling a more in-depth security assessment of the application. Unless a parameter is crawled, it will not be scanned.
This document describes how to configure the JavaScript analyzer for single-page applications in Invicti Enterprise.
How to configure the JavaScript Analyzer
While an out-of-the-box installation of Invicti Enterprise can scan single-page applications, you can configure some additional settings. Follow the steps below to configure the Java Script analyzer.
- Select Policies > New Scan Policy from the left-side menu.
- Enter the policy Name and Description.
- In the JavaScript tab, ensure the Analyze JavaScript/AJAX checkbox is selected.
- Complete the remaining fields to ensure all the necessary details are provided. For more information, refer to our Configuring scan policies documentation.
- Click Save at the bottom of the page.
Completing the configuration of the JavaScript analyzer for single-page applications means that your scan settings are now optimized to thoroughly analyze modern web apps with complex JavaScript interactions. The analyzer is prepared to handle dynamic content changes and simulate user interactions effectively, ensuring a comprehensive security assessment of your application. You can now use this configured scan policy to perform scans that detect vulnerabilities across your entire single-page application.