Can ZAP be used for SPA application

Question

I have a SPA application (angularjs front end/restfull WebAPI back end). SPA is by design using client routing - i.e. typical "page" looks like

http://contosco.com#/page1

http://contosco.com#/page2

.. etc

I know that ZAP has "ajax spidering" mode in which it can get urls "from javascript". However the active scan is just making http requests - so I doubt the ZAP can be used in this scenario - or am I wrong ?

score 1 · Answer 1 · answered Aug 19 '16 at 09:59

1

What sort of vulnerabilities are you looking for?

Your application will still have to make http requests, so ZAP will still be able to test those.

We also have a DOM XSS scanner https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsDomxssDomxss which you can download from the ZAP Marketplace. This will launch a browser to detect DOM XSS vulnerabilities.

Also very happy to write more client side rules, just tell us what you are looking for...

answered Aug 19 '16 at 09:59

Simon Bennetts

5,479
1
14
26

If the ascan will hit http://contosco.com#/page1 - unless the ascan understands javascript (which it does not currently) it won't load the correct html views, thus it can't validate the possible XSS vulnerabilities. – Ondrej Svejdar Aug 19 '16 at 13:47
The DOM XSS scanner launches a browser, which _does_ understand javascript. I'm not saying that it will definitely find all possible XSS vulnerabilities, but if you have examples of ones it cant find then please let us know. – Simon Bennetts Aug 23 '16 at 07:18
So you're having problems with a free and open source tool, and you've decided the best approach is to get stroppy with one of the maintainers on a 4 year old stackoverflow thread? Interesting approach, and not one I'd really recommend, but YMMV – Simon Bennetts May 27 '20 at 12:12
@SimonBennetts - got a notification from the recent activity here - I think it essentially boils down to request to have first party experience for SPA crawling - i.e. the spider should crawl map of client routes and persist them. So when I do have html like and those links should be persisted; when testing the browser should load such url; wait for SPA javascript to render the content, then test the html. Do you think it makes sense to raise this on github ? – Ondrej Svejdar May 27 '20 at 14:22
1

No need, we're well aware of this restriction and plan to address it when we have enough time :) – Simon Bennetts May 27 '20 at 16:11

Can ZAP be used for SPA application

1 Answers1