Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Capability to scan React.js

andy | Last updated: Jun 02, 2016 02:36PM UTC

As per the title - is Burp capable or truly scanning React.js built applications? Does anyone have any experience of this?

PortSwigger Agent | Last updated: Jun 02, 2016 02:48PM UTC

Burp's automated spider will struggle to achieve full coverage of JS-heavy / single-page applications, regardless of the client-side framework they are using. In this situation, it is preferable to manually walk through all of the application's functionality using your browser via Burp Proxy. Then, you can send the resulting requests for scanning in the normal way, by selecting them in the Proxy history, and using the context menu. During the scanning phase, coverage is normally considerably better if the initial crawling is done manually in the way described.

Burp User | Last updated: Jun 07, 2016 12:07PM UTC

Thanks for the info but I'm particularly asking about React. Is Burp capable of detecting vulnerabilities within React?

PortSwigger Agent | Last updated: Jun 09, 2016 07:55AM UTC

Burp does check for DOM-based vulnerabilities that may arise within JavaScript libraries themselves, or the usage that other client-side code makes of them.

Burp User | Last updated: Dec 20, 2016 07:01PM UTC

No, I don't think Burp Suite does so. It only looks for sources and sinks and if it finds a combination it will report it. Most of the times its a false positive result like DOM based XSS, URL redirection, etc

Mustaqeem | Last updated: Aug 04, 2022 11:57AM UTC

Hi Team, Kindly confirm on this? Is burpsuite is capable to scan React JS application??

Liam, PortSwigger Agent | Last updated: Aug 04, 2022 04:08PM UTC

We've added these improvements to Burp Scanner over the last year or so: Improved single-page application scanning (SPAs) - Burp Scanner now handles navigational actions that cause DOM updates without a synchronous request to the server. Auditing of async traffic - greatly improved scanning of SPAs via an audit of in-scope API requests issued from client-side JavaScript using XHR or Fetch. - https://portswigger.net/burp/pro/roadmap Are you having issues scanning a ReactJS app?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.