Precursor Security
React · Angular · Vue · Next.js · Nuxt

Your Last Pen Test Missed Your
Client-Side Attack Surface.

Generic penetration testing crawls links and submits forms. It does not execute your JavaScript, test your client-side routing, or inspect your token storage. If your tester did not manually reverse-engineer your JavaScript bundle, they did not test your SPA.

Request a Scoping CallSee What We Test
React, Angular & Vue (framework-specific)
JWT & OAuth 2.0 Attack Chains
Full API Backend Included
CREST Accredited · UK-Based
Scroll
What Automated Scanners Miss

Traditional testing talks to the server.
Your attack surface is in the browser.

DAST tools do not execute JavaScript. They cannot test client-side routing, DOM-based XSS sinks in React components, or state management data leakage because they interact with the server, not the rendered browser application. If your tester did not manually reverse-engineer your JavaScript bundle, they did not test your SPA.

Our web application penetration testing methodology for SPAs covers the full attack surface: client-side business logic, DOM injection points, token storage, routing controls, and the API backend your application trusts exclusively.

SOC 2ISO 27001 A.12PCI DSS Req 6.4CREST Accredited
Duration5-10working days
Investment£3,500+fixed-price, scoped
Frameworks6+React, Angular, Vue, Svelte
API TestingIncludedREST + GraphQL, no upsell
Architecture Scope
Web Application Penetration TestingParent service scope
API Penetration TestingREST + GraphQL, included in scope
SSO Configuration AssessmentOAuth 2.0, SAML, OpenID Connect
Framework-Specific Testing

Every Framework Has Different Attack Surfaces

A tester who does not know the difference between dangerouslySetInnerHTML and DomSanitizer is not testing your SPA. Our consultants are experienced developers who understand the security model of each framework.

Attack SurfaceTemplate injection
ReactdangerouslySetInnerHTML
AngularDomSanitizer bypass
Vuev-html directive
Attack SurfaceState exposure
ReactRedux / Zustand DevTools
AngularNgRx state inspection
VuePinia / Vuex DevTools
Attack SurfaceRouting bypass
ReactReact Router guards
AngularcanActivate guards
VueVue Router guards
Attack SurfaceSSR attack surface
ReactNext.js server actions
AngularAngular Universal
VueNuxt middleware
Attack SurfaceXSS vector
Reacthref javascript: URI
AngularInterpolation context
Vuev-bind:href injection

First SPA penetration test?

A simple SPA with a few pages typically takes 3 to 5 days (from £3,500). Feature-rich applications with multiple user roles and extensive API integrations may require up to 10 days. A scoping call takes 15 minutes and we issue a fixed-price proposal within 24 hours.

Discuss Your Application
Avg response: 15m
Methodology

What We Actually Test

Five assessment domains covering every attack surface unique to single page applications. Each domain is tested manually by CREST-certified practitioners who build with these frameworks.

Client-Side Logic Review

Reverse-engineering bundled JavaScript to identify exposed API keys, hardcoded secrets, client-side authorisation bypasses, and debug endpoints in production builds. In React, this includes dangerouslySetInnerHTML and href injection vectors. Webpack source map exposure assessed separately.

JWT & Token Security

Algorithm confusion attacks, signature bypasses, token expiry validation, refresh token rotation, and secure storage. JWT claims validated against the API's actual enforcement, not just the token's self-declared payload. OAuth 2.0 and SSO flows included.

API Backend Testing

Every REST and GraphQL endpoint tested for BOLA/IDOR, mass assignment, broken function-level authorisation, and injection vulnerabilities. GraphQL: introspection exposure, batching abuse, field-level bypass. A full API penetration testing engagement included in scope.

State Management & Routing

Testing client-side state stores (Redux, Zustand, NgRx, Pinia, Vuex) for sensitive data exposure, route guard bypasses that expose protected views, and deep link handling that circumvents authentication. React Router guards, Angular canActivate guards, and Vue Router guards tested for client-side bypass via direct URL navigation.

DOM & Client-Side Injection

DOM-based XSS (invisible to server-side scanning), prototype pollution in JavaScript dependencies, and postMessage handler abuse enabling cross-origin injection. We trace taint flow from source to sink manually, the only reliable method for identifying DOM-based vulnerabilities in React, Angular, and Vue applications.

Real Finding (Anonymised)

The Finding Your Last Tester Missed

High SeverityReact SPA (React Router v6)

Finding: Client-Side Route Guard Bypass

Protected route guards implemented client-side via conditional rendering. Direct navigation to /admin/users bypassed authentication check. React Router <Route element={<ProtectedRoute />}> component re-renders on manual URL entry, exposing admin panel to unauthenticated users.

Impact: Unauthenticated access to administrative functionality. Full user database export possible via exposed admin API endpoints.

This class of finding is invisible to automated DAST tools because the vulnerability exists entirely in client-side JavaScript routing logic. A generic pen tester who does not understand React Router will not identify it.

Common SPA Vulnerabilities

What We Find Most Often

Six vulnerability classes that are routinely missed by automated DAST tools and generic web application penetration tests because they exist entirely in client-side JavaScript.

Critical

DOM-Based XSS

The vulnerability exists entirely in client-side JavaScript, invisible to server-side scanning. Insecure use of dangerouslySetInnerHTML (React), DomSanitizer bypass (Angular), or v-html (Vue) creates injection points that DAST tools cannot detect.

High

Prototype Pollution

Malicious modification of JavaScript object prototypes through npm utility dependencies. Exploitable to bypass security checks, poison application state, or achieve XSS in frameworks that rely on prototype chain integrity.

High

Client-Side Route Bypass

Protected route guards implemented client-side via conditional rendering. Direct navigation to admin or restricted paths bypasses authentication checks that exist only in the browser, not enforced by the API.

Critical

JWT Misconfigurations

Tokens stored in localStorage accessible via any XSS. Algorithm confusion attacks, missing signature validation, absent token expiry, and refresh token rotation failures. The token your SPA trusts may not be trustworthy.

Medium

Exposed API Keys & Debug Endpoints

API keys, internal endpoints, and debug flags embedded in JavaScript bundles and accessible to any user with browser DevTools. Webpack source maps in production expose your entire application source.

High

postMessage Handler Abuse

Cross-origin injection through insecure postMessage handlers that fail to validate message origin. Enables attackers to inject data or trigger actions in the SPA from a malicious parent or iframe.

Assessment Process

From Scoping Call to Developer Debrief

A structured assessment that covers what generic web app testing misses, from client-side JavaScript to API authorisation.

Phase01
ActivityScoping & Build Analysis
DetailIdentify framework (React, Angular, Vue, Svelte, Next.js, Nuxt), build tooling, API endpoints, and authentication mechanism. You provide test accounts and staging access.
DeliverableScope document + proposal
Phase02
ActivityClient-Side Reverse Engineering
DetailAnalyse source maps, deobfuscate bundled JavaScript, map client-side routes, state management, and API call patterns. Attack surface map documented before active exploitation begins.
DeliverableAttack surface map
Phase03
ActivityExploitation & Impact Demonstration
DetailActively exploit identified vulnerabilities to demonstrate real-world impact: from token theft and account takeover to data exfiltration via broken API authorisation.
DeliverableProof of concept evidence
Phase04
ActivityReporting & Developer Debrief
DetailCVSS v3.1 scored findings, proof-of-concept evidence, framework-specific remediation guidance for your exact stack. Developer debrief covering secure coding patterns.
DeliverableReport + 30-day free retest
After Testing

Your pen test report should
not gather dust.

We feed your exact SPA vulnerabilities directly into our 24/7 Managed SOC, building custom detection rules for your specific client-side attack surface and actively hunting for exploitation between annual tests.

Explore 24/7 Monitoring

24/7 Threat Hunting

Continuous monitoring tuned to your SPA's specific attack surface.

Custom SOC Rules

Alerts tuned to the exact findings in your SPA pentest report.

API Monitoring

Real-time detection of API abuse patterns identified during testing.

Compliance Evidence

Continuous monitoring evidence for SOC 2, ISO 27001, and PCI DSS.

Free Scoping Call

Discuss Your Application.

Tell us your framework, user roles, and API structure. A 15-minute scoping call with a CREST consultant determines the exact test scope. Fixed-price proposal issued within 24 hours.

Request a Scoping Call
View Pricing Guide
CREST Accredited
From £3,500
30-Day Free Retest

Frequently Asked Questions

Common questions about SPA penetration testing, framework coverage, and what to expect.

SPA penetration testing is a specialist form of web application penetration testing for applications built with React, Angular, Vue.js, and comparable JavaScript frameworks. Where traditional web application testing focuses on server-side responses, SPA testing targets the attack surface that runs in the browser: client-side business logic executed in JavaScript, DOM manipulation and injection points, token storage and authentication handling, client-side routing controls, and the API backend the application communicates with exclusively.

SPAs move business logic, routing, and state management to the client side. This creates vulnerabilities that do not exist in server-rendered applications: DOM-based XSS, client-side route guard bypasses, exposed API keys in JavaScript bundles, JWT token manipulation, and state management data leaks. Standard web app scanners and DAST tools do not execute JavaScript. They interact with the server, not the rendered browser application, so many of these issues are missed entirely.

We test applications built with React (Next.js, Gatsby), Angular, Vue.js (Nuxt), Svelte (SvelteKit), and other modern JavaScript frameworks. Our consultants are experienced developers who understand the security implications of each framework's architecture, including framework-specific attack surfaces such as React's dangerouslySetInnerHTML, Angular's DomSanitizer, and Vue's v-html directive.

Yes. Every SPA penetration test includes comprehensive API penetration testing. Since SPAs rely entirely on API calls for data, testing the backend APIs for BOLA/IDOR, broken function-level authorisation, mass assignment, and injection vulnerabilities is essential to a complete assessment. GraphQL APIs are assessed for introspection exposure, batching abuse, and field-level authorisation bypass.

Yes. We test OAuth 2.0 flows, OpenID Connect, SAML SSO integrations, and social login implementations. This includes testing for authorisation code interception, token leakage, scope escalation, and redirect URI manipulation. Our SSO configuration assessment covers the full implementation from client to identity provider.

Typically 5 to 10 days depending on the application complexity. A simple SPA with a few pages may take 3 to 5 days. Feature-rich applications with multiple user roles, complex state management, and extensive API integrations may require 10 days. Engagements are typically priced from £3,500, scoped to your application after an initial discovery call.

The most frequently identified issues in SPA assessments include: DOM-based XSS through insecure use of React's dangerouslySetInnerHTML or Vue's v-html directive; prototype pollution in npm utility dependencies; client-side routing bypasses exposing protected views to unauthenticated users; JWT tokens stored in localStorage and accessible via any XSS; exposed API keys or debug endpoints embedded in JavaScript bundles; BOLA/IDOR across REST and GraphQL API endpoints; and postMessage handler vulnerabilities enabling cross-origin injection. These findings are routinely missed by automated DAST tools because they exist entirely in client-side JavaScript and require manual testing to identify.

Standard web application penetration testing is designed for server-rendered applications. It tests HTTP responses, server-side input validation, and database interactions. SPAs move business logic, routing, and authentication entirely to the browser, creating an attack surface that server-focused testing cannot reach. Our SPA assessments add: manual reverse-engineering of bundled JavaScript to identify hidden API endpoints and client-side authorisation logic; testing of client-side routing controls that automated crawlers cannot map; JWT and OAuth 2.0 token security testing from the client perspective; and state management inspection for sensitive data exposure. Full API backend testing is included as standard, since the API is the only server-side boundary a SPA exposes.