Improving our support of single page applications

Single-page applications are notoriously hard to scan correctly due to the complexity of building a full site map. In our latest release, we’ve updated the way we scan your web apps, improving the coverage of the scanner and increasing the likelihood of finding vulnerabilities.

We’ve continued to build new improvements on top of Zap's native 'AJAX' spider, while also adding a new spider into the mix to help cover any gaps missed by the 'traditional and 'AJAX' spiders.

To use our updated scanning capability, you'll need to add an authentication or API schema to your target. As always, we recommend running these scans in your staging environment or with a low permission user so the spidering process does not interfere with your production data.

Read more about single-page applications, how they differ from multi-page applications, and why this matters when scanning them, in our recent blog.

If you’d like to discuss this further with a member of the product team, or give some feedback, you can do so here.