Key Points
If you're responsible for the security and/or maintenance of a website or web app, you're more than likely familiar with the concept of multiple page (MPA) and single page applications. While understanding the difference between them is half the battle, knowing how this could impact your vulnerability scans is just as important. In this blog, we'll explain the differences and how you can make sure your single page application (SPA) security is up to scratch by scanning and securing it from vulnerabilities.
What is a single page application?
In the simplest terms, an SPA is a web page where the content is generated and displayed on a single HTML page initially, with the content updated dynamically as the user interacts with it instead of loading a new page for every interaction.
Why is this useful? The web app loads significantly quicker, as it doesn't need to reload items that are always present (think of the header navigation in a website which includes pages like 'About us' or 'Join us'). As a result, a lot of modern web apps use SPAs as the user experience tends to be faster and often performs better as they don’t need to keep loading HTML pages.
SPAs first became popular in the early 2010s, and have only grown in popularity over time.
Single page application vs multi page application
In a surprise to no one, MPAs work in the opposite way to SPAs. They consist of multiple HTML pages representing distinct sections of an application. When a user navigates between sections, each page is loaded completely fresh, with all assets on the page loaded. This means if you have a consistent navigation bar on every page of your web app, it'll load each time you navigate to a new page.
Compared to SPAs, the user experience of MPAs is less seamless, load times can be slower, and they rely on more traditional server-side technologies. It's a more traditional method of building web apps, and is more commonly associated with web apps built pre-2010s.
There are plenty of other differences between SPAs and MPAs, such as the improved user experience and easier maintenance when using an SPA. However, what we care about is how to secure them with a vulnerability scan.
Scanning a single page application for vulnerabilities
Scanning an SPA for vulnerabilities is not an easy task. But because so many organizations use SPAs for critical parts of their business, it's vitally important to scan SPAs for weaknesses. Luckily, there are ways to scan SPAs and keep them secure.
To scan a web app, we need to spider it. This means that we crawl through every part of the web app, creating a site map in the process. This enables us to understand every part of your app that needs to be scanned for potential vulnerabilities. Certain elements of a page may also have been built in JavaScript, and those elements may not be seen by more traditional spiders.
We've asked our very own Arran Cardnell, Software Engineer at Intruder, to explain what scanning SPAs is like, and why it's important:
"An SPA is a bit like a choose your own adventure, but now it's a pull-out book as well, which only opens if you're indoors, and where you need to pull on tabs and lift flaps to figure out what the next page is to go to. And then you have to do the same thing on those new pages. And sometimes, pulling a tab on page 3 and lifting a flap on page 51 means you can now slide out something else on page 76. So you need to try every combination of tab pulling and flap lifting throughout the whole book to get all the content. Exploring a book this way is time-consuming and you're more likely to miss things.
To translate that to our real-world scenario, reading an HTML document and looking for 'a' tags (HTML tags which define hyperlinks) which point to other pages is fairly trivial for non-SPAs. For SPAs, loading a web app in the browser, waiting for the page to load and then clicking every possible button, tab, form or combination of those is slow, error-prone and can get stuck in repetitive loops."
Regardless of what kind of web app you use, the important point is that you scan them regularly to ensure they are secure.
The importance of scanning web applications
- Data Protection: Scanning web apps for vulnerabilities can be a crucial consideration when protecting sensitive user data. Identifying and addressing security weaknesses helps prevent unauthorized access, safeguarding confidential information and maintaining user trust. If your web app houses sensitive customer data, keeping that data safe and secure should be a key concern for your security team.
- Security Posture: Regular vulnerability scanning ensures that your web apps remain resilient against evolving cyber threats. By proactively addressing vulnerabilities, organizations can stay ahead of potential attacks, minimizing the downtime, financial losses, and reputational damage associated with a security breach. Every organization should build a strong vulnerability management program, and regularly scanning web apps and other internet facing assets is a fundamental part of doing so.
- Meeting Compliance Standards: If you've ever had to prove to a third-party or auditor that your organization is compliant, you'll know that becoming compliant is not easy. When gaining compliance, a lot of organizations will try to adhere to the policies of a particular framework like SOC 2, ISO 27001, or Cyber Essentials. In the process, organizations need to prove that they're regularly scanning for weaknesses in their environment, and using a vulnerability management platform helps to achieve this aspect of compliance. Demonstrating a commitment to web app security best practices through regular vulnerability assessments helps guide you on your compliance journey.
If you need a reminder why you can’t afford to ignore web application security, attacks on apps are involved in 26% of all breaches and app security is a major concern for ¾ of enterprises. If you embed testing with a vulnerability scanner throughout your entire development lifecycle, you can find and fix problems earlier, deliver cleaner and safer code, and make all your applications more robust, reliable and safe.
Scanning single-page applications
If this sounds like a lot to manage, we agree with you! Luckily, we know of an intutive platform that empowers users to scan their SPAs and get a prioritized list of issues based on the results of the scan (hint: It's Intruder). Set up and scan your SPAs in Intruder for free on our 14-day trial.