Can ZAP be used for SPA application

About

Asked 18/8, 2016 at 14:24 Answered 19/8, 2016 at 9:59

I have a SPA application (angularjs front end/restfull WebAPI back end). SPA is by design using client routing - i.e. typical "page" looks like

http://contosco.com#/page1

http://contosco.com#/page2

.. etc

I know that ZAP has "ajax spidering" mode in which it can get urls "from javascript". However the active scan is just making http requests - so I doubt the ZAP can be used in this scenario - or am I wrong ?

Diamagnetic answered 18/8, 2016 at 14:24 Comment(0)

What sort of vulnerabilities are you looking for?

Your application will still have to make http requests, so ZAP will still be able to test those.

We also have a DOM XSS scanner https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsDomxssDomxss which you can download from the ZAP Marketplace. This will launch a browser to detect DOM XSS vulnerabilities.

Also very happy to write more client side rules, just tell us what you are looking for...

Asphaltite answered 19/8, 2016 at 9:59 Comment(5)

If the ascan will hit contosco.com#/page1 - unless the ascan understands javascript (which it does not currently) it won't load the correct html views, thus it can't validate the possible XSS vulnerabilities. – Diamagnetic 19/8, 2016 at 13:47

The DOM XSS scanner launches a browser, which does understand javascript. I'm not saying that it will definitely find all possible XSS vulnerabilities, but if you have examples of ones it cant find then please let us know. – Asphaltite 23/8, 2016 at 7:18

So you're having problems with a free and open source tool, and you've decided the best approach is to get stroppy with one of the maintainers on a 4 year old stackoverflow thread? Interesting approach, and not one I'd really recommend, but YMMV – Asphaltite 27/5, 2020 at 12:12

@SimonBennetts - got a notification from the recent activity here - I think it essentially boils down to request to have first party experience for SPA crawling - i.e. the spider should crawl map of client routes and persist them. So when I do have html like <a href="contosco.com#menu"> and <a href="contosco.com#profile"> those links should be persisted; when testing the browser should load such url; wait for SPA javascript to render the content, then test the html. Do you think it makes sense to raise this on github ? – Diamagnetic 27/5, 2020 at 14:22

No need, we're well aware of this restriction and plan to address it when we have enough time :) – Asphaltite 27/5, 2020 at 16:11

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags