Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Test Single page Apps (SPA)

GHOSH, | Last updated: Sep 01, 2021 11:34PM UTC

Hi, I have noticed that the scanner is unable to scan URLs and relevant functionality in a single page application. Is there a recommended way to get the best out of Single Page Application scans?

Ben, PortSwigger Agent | Last updated: Sep 03, 2021 08:26AM UTC

Hi Sayasmito, At this precise moment in time (as of release 2021.8.2) the following information is applicable in terms of what Burp can and cannot handle. Currently we can support: - Page transitions that do not make any requests to the backend server - Page transitions that only make asynchronous requests to the backend server - Anchors, buttons and forms that use JavaScript and/or event handlers to trigger navigation We are currently working on: - Auditing asynchronous requests made as part of a page transition Currently we have the following four caveats to how Burp works with SPAs: 1) Clickable elements that are not anchors or buttons will not yet be interacted with 2) If two pages are similar and use URL fragments to distinguish between them, the crawler may not identify them as separate pages (changing the crawl optimization to thorough/most complete may improve this) 3) The site map and logger only capture HTTP traffic and will, as such, not accurately map pages in a SPA that did not have synchronous requests as part of their load 4) We will only audit requests that are initiated as a direct result of a crawler action (e.g. clicking an anchor with an onclick handler that creates an XHR request). Any requests that are initiated passively by being on the page for a length of time (e.g. using setTimeout/setInterval functions) will not be audited. As the site map and logger do not accurately reflect how well the crawler is dealing with a single page application, a headed crawl is the best way to assess this (you can enable headed crawls from within the crawl scan configurations settings and there are more details on how to do this here - https://portswigger.net/burp/documentation/desktop/scanning/crawl-options). We would recommend carrying out the following workflow approach to identify what is happening during your scan (hopefully the flow detailed below makes sense and is formatted in a way that you can understand): If the number of crawled locations is low Then If a headed crawl does not appear to be interacting with the links on the page Then Inspect the links if the links are not anchors or buttons Then Caveat 1 applies Otherwise If the site uses fragments to identify the pages Then Caveat 2 applies Otherwise If the site map is not being populated If a headed crawl appears to be moving around the site well Then Caveat 3 applies

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.