According to the most recent StackOverflow Developer Survey, JavaScript is the most popular programming language amongst professional developers (69,7%). Most modern apps use this frontend technology to dynamically load content from the backend based on user behaviour or other events.

This blog article will explain the differences between JavaScript (Single Page) and traditional (Multi-Page) web applications. Afterwards, we will explain the specific difficulties of Single Page Applications (SPAs) from a security perspective. Finally, we will address the challenges of automating security tests for SPAs.

yH5BAEAAAAALAAAAAABAAEAAAIBRAA7 JavaScript Apps: Automated Security Testing Challenges

javascript application scanning

Differences between Single Page and Multi-Page applications

The core difference between Single Page (SPAs) and Multi-Page applications (MPAs) is the behaviour of the app after a user interaction (i.e. clicking or scrolling). SPAs can only reload specific parts of the app. MPAs always transmit a completely new page.

The more technical explanation is:

  • MPAs: When Multi-Page Applications react to user input or must show new content, they request a replacement HTML page from the server. After receiving the information, the browser renders the new page, showing the user’s reloaded page.
  • SPAs: AJAX (Asynchronous JavaScript and XML) permits JavaScript web applications to refresh a section of a page solely. When you interact with Single Page Applications, your browser posts ajax requests to the server; rather than rendering a replacement page, the server will send you a part of the information. The SPA can then use that information to render specific elements of the page directly in your browser.

There are numerous articles about the Pros and Cons of SPAs vs MPAs. Here are some links to articles we liked: Andrej Gajdos Blog (good explanation of core concepts and pro/cons with screenshots), MindK Blog, Neoteric Post on Medium, Jaxenter Blog)

Interesting facts:

  • It is commonly said that MPAs make up the largest share of web applications, but I could not find a trustworthy source for this information. If you have one, please comment below.
  • Most modern web pages are developed as SPAs (i.e. Google, Facebook, Amazon, etc. – see Andrej Gajdos Blog for more examples and gifs)
  • The most common frameworks for SPAs are Angular.js, react.js, and with some distance Vue.js and Ember.js (according to Google searches – Source)

Scan for free now

Specific security challenges for JavaScript applications

JavaScript applications have some specific features that require specific security attention.

One attack vector commonly mentioned are Cross-Site-Scripting (XSS) attacks. There are multiple forms of XSS attacks, but they all exploit the possibility to inject malicious scripts in client/server communications in various ways (stored, reflected, or DOM-based). For a complete overview of XSS attacks, see our blog post.

Due to the separation of displaying content (frontend) and evaluating content (backend), SPAs can be more susceptible to XSS attacks. However, if you follow standard best practices guidelines (i.e. sanitizing user input and configuring security headers), these can be prevented.

The bigger challenge, however, is the testing for security challenges in SPA applications.

Challenges of automating security tests for SPAs

Traditional security audits of web applications followed the HTML framework and commands to crawl the web application and identify potential attack vectors. All the crawler needed to do for each HTML page was to scan the first page, test the attack vectors, click on each link to get the next page, repeat until all pages are scanned.

For JavaScript applications, this is not possible. In SPAs, content can be generated dynamically when the user reaches the end of a page or certain features appear in pop-up or modal dialogues, only visible after a click.

This presents challenges for the automatic testing of dynamic web applications. Attack vectors can now be found in the frontend, backend, and communication of the two. These days, most security products require the user to manually create click sequences and specify specific value entries to discover attack vectors. This takes a lot of time and requires frequent changes to the security tool setup (i.e. when the software changes).

The setup of one specific attack vector could easily take 5 to 15 minutes. Imagine implementing this for 20 attack vectors – and the next deployment, the app logic changes. Another 2 hours to be invested.

This work is especially challenging when working in an agile development cycle with automated CI/CD processes.

Let us know in the comments if you have these challenges – or others – for testing your JavaScript applications.

If you want to learn more about other DevSecOps topics, integrations, or continuous security in general, visit our other content.