#AskHN What is the best DAST/web app scanner for single page/dynamic/super-modern web apps? Apps totally written in javascript. And WHY? Specifically what about it makes it best? Most of them are "not great", I want to know which ones are really good. Thanks!
Hey there! for full disclaimer I'm the dude who wrote the NeuraLegion scanner so keep that in mind, having said that our DAST is one of the most capable working against SPA\Dynamic Apps. there are a few reasons for that:
- We wrote a full webdriver engine, we use this to crawl and interact with the target allowing us to do anything from capturing all of the JS events and triggering them while also mapping the APIs in use.
- We have a unique tech built around what we call "Interaction Chains", in modern apps most of what you got in the browser is a full client side application, most of the actions you make happen only in the browser context without sending requests to the server, this means that to map the application correctly you need to interact with it fully. think something like clicking on the drop down menu, choosing an option, filling in the popup form etc.. our interaction chains map those use cases automatically allowing us to "touch everything" on the app.
- Parsing of data - Crawling is just one step, understanding what you see is the next part before attacking. we have tech built around universal parsing of data, not just "id=1" and saying ok this is a parameter, but actually to parse multiple levels on the fly of everything from JSON to GraphQL and pure binary files (break png and change the data for upload attacks).
- Other then those we have a very neat way of digesting a HAR\OpenAPI\Swagger\Postman files to allow you to test API endpoints directly without the need for crawling.
Those are just the tech highlights and I'm trying to avoid sales talk so, you can just try it out, it's free :)