Differences between Single Page and Multi-Page applications
The core difference between Single Page (SPAs) and Multi-Page applications (MPAs) is the behaviour of the app after a user interaction (i.e. clicking or scrolling). SPAs can only reload specific parts of the app. MPAs always transmit a completely new page.
The more technical explanation is:
- MPAs: When Multi-Page Applications react to user input or must show new content, they request a replacement HTML page from the server. After receiving the information, the browser renders the new page, showing the user’s reloaded page.
There are numerous articles about the Pros and Cons of SPAs vs MPAs. Here are some links to articles we liked: Andrej Gajdos Blog (good explanation of core concepts and pro/cons with screenshots), MindK Blog, Neoteric Post on Medium, Jaxenter Blog)
- It is commonly said that MPAs make up the largest share of web applications, but I could not find a trustworthy source for this information. If you have one, please comment below.
- Most modern web pages are developed as SPAs (i.e. Google, Facebook, Amazon, etc. – see Andrej Gajdos Blog for more examples and gifs)
- The most common frameworks for SPAs are Angular.js, react.js, and with some distance Vue.js and Ember.js (according to Google searches – Source)
One attack vector commonly mentioned are Cross-Site-Scripting (XSS) attacks. There are multiple forms of XSS attacks, but they all exploit the possibility to inject malicious scripts in client/server communications in various ways (stored, reflected, or DOM-based). For a complete overview of XSS attacks, see our blog post.
Due to the separation of displaying content (frontend) and evaluating content (backend), SPAs can be more susceptible to XSS attacks. However, if you follow standard best practices guidelines (i.e. sanitizing user input and configuring security headers), these can be prevented.
The bigger challenge, however, is the testing for security challenges in SPA applications.
Challenges of automating security tests for SPAs
Traditional security audits of web applications followed the HTML framework and commands to crawl the web application and identify potential attack vectors. All the crawler needed to do for each HTML page was to scan the first page, test the attack vectors, click on each link to get the next page, repeat until all pages are scanned.
This presents challenges for the automatic testing of dynamic web applications. Attack vectors can now be found in the frontend, backend, and communication of the two. These days, most security products require the user to manually create click sequences and specify specific value entries to discover attack vectors. This takes a lot of time and requires frequent changes to the security tool setup (i.e. when the software changes).
The setup of one specific attack vector could easily take 5 to 15 minutes. Imagine implementing this for 20 attack vectors – and the next deployment, the app logic changes. Another 2 hours to be invested.
This work is especially challenging when working in an agile development cycle with automated CI/CD processes.
If you want to learn more about other DevSecOps topics, integrations, or continuous security in general, visit our other content.