In today’s Whiteboard Wednesday, Dan Kuykendall, Sr. Director of Application Security at Rapid7, will talk about securing Single Page Applications (SPA) that are built on ReactJS frameworks.
As web applications become more complex, web application security scanners need to evolve to be able to fully scan these web apps to truly measure the security risks. In recent years, we have seen the challenge of keeping up with modern applications grow due to the adoption of applications powered by HTML5 and HTTP.
Single Page Applications, or SPAs, are the latest technology used to power web applications. Since this is a relatively new type of web application, most web application security scanners are unable to properly scan them. As web app security vendors rush to support single page applications, there is a coverage gap that is potentially leaving you vulnerable to an attack. It is absolutely critical that your web application security program is leveraging a web app scanner that is able to fully scan these modern applications.
Watch this week’s Whiteboard Wednesday to learn more.
So it's vital that you test, that you can actually discover what's there. And mostly what you're discovering is a bunch of RESTful APIs. So you need to be able to discover. You need to have a tool that can handle the, you know, AJAX applications and even very specific SPA frameworks like React, which have a virtual DOM, the scanner needs to be able to support even that level of complexity so that it can do discovery. Then once it has discovered, it's gonna find these REST APIs. It needs to be able to test those REST APIs. They may be in JSON or XML formats, it doesn't matter; the scanner needs to be able to understand how to interpret what it's seeing coming from the Angular or the client side and how it's tested in the backend. It's all very vital that you have every component tested for. If you don't, you miss out on things. You're gonna potentially not be testing your entire application. Single applications create many, many problems.
One final one that I wanna mention is interconnected or interdependent applications. Sometimes applications...let's take, like, a Netvibes, where it's a homepage, it's a portal, where it's gonna go get resources from other sites. Mostly it's gonna do RSS feeds, which are pretty straightforward. Those are actually RESTful APIs, but in a standard that is very common and we're all used to dealing with. But sometimes if you set it up right, it can actually monitor your Twitter feed and show you your Twitter feed in the one portal. It's going out...that client is not only talking to its own RESTful APIs, it's talking to third-party interconnected applications. Those third-party API calls are also part of what's going on in this application and you have to be able to understand that and test it. So every piece is important in a single page application. You need to be able to test everything or you're gonna miss out on issues. So ReactJS, single page applications, there's a lot to worry about. Like I said, a single page application creates many, many problems. Thank you.