Some very interesting technology was presented a few days ago in the following articles:
- Following the data: Taint-tracing in the JS environment
- Following the execution: Taint-tracing in the JS environment
- Client-side crawl: A DOM state exploration
Thusly, I'd like to clarify how it is used during scanning by Codename SCNR.
Through continuous monitoring of each page's JS environment, Codename SCNR can handle Single-Page-Applications like a breeze, something notoriously difficult to handle by most DAST solutions, since they're only, well...DAST.
Let me clarify, Codename SCNR is marketed as a DAST product, but that's only when it comes to the server-side, and that's just for the moment (but that's a matter for another post, IAST is coming for the server-side as well).
On the client-side, SCNR's browsers' JS environment is monitored (along with functions of popular libraries like jQuery), so that:
- Data and execution flows are traced in order to more accurately identify vulnerabilities.
- Provide a plethora of context to identified client-side issues.
- Make available much valuable information that helps with the scheduling of internal operations, resulting in quite high performance.
So in essence, SCNR takes a Hybrid approach to the client-side part of things, with both IAST and DAST constantly running, and with one helping optimize the other.
Hence, every application that relies on JS can greatly benefit from SCNR, as it operates on a different level than most scanners, with the application no longer being a black-box to it.
As far as classifications go, Codename SCNR can be best described like this:
|DAST (IAST coming soon, will lead to Hybrid)
The reason I specifically mentioned SPAs is to drive my point home, as they greatly rely on the client-side JS to function, and are a general struggle for scanners; this technology of course operates regardless of the amount of JS code or amount of reliance. :)
In conclusion, Codename SCNR's support for modern web applications is, as a result, near unparalleled.