Application Routing Patterns¶
The routing architecture of a web application significantly impacts scanner behavior, content discovery, and navigation patterns. Understanding application routing patterns enables appropriate scan parameter optimization and prevents common crawling inefficiencies.
Routing Pattern Categories¶
Path-Based Routing¶
Applications utilizing distinct URLs for each page are classified as path-based routing. This pattern is characteristic of traditional multi-page applications.
URL Structure:
https://example.com/login
https://example.com/dashboard
https://example.com/users/profile
https://example.com/settings/account
Parameterized Path Detection:
The scanner automatically detects parameterized paths to prevent exhaustive crawling. URLs following a pattern are recognized and limited:
https://example.com/users/5c773acd-fda4-481c-b82c-a608f8848161/profile
https://example.com/users/2fe704f9-c6ea-4675-a62c-286885be5bb0/profile
https://example.com/users/927eb8e1-473b-4918-baaa-8f7b02562d77/profile
These are detected as the same pattern /users/{id}/profile and crawling is automatically constrained.
Optimization Considerations:
- Sitemap prefetching can be leveraged to accelerate discovery
- Moderate parallelism is well-supported due to distinct page contexts
- Each URL represents an independent page state
Fragment-Based Routing¶
Single-page applications employing URL fragments for navigation are classified as fragment-based routing. This pattern utilizes the URL hash for client-side routing.
URL Structure:
https://example.com/#/login
https://example.com/#/dashboard
https://example.com/#/users/profile
https://example.com/#/settings/account
Optimization Considerations:
The max_unique_fragments_per_page parameter should be configured to limit repetitive crawling of the same base URL with varying fragments.
Query Parameter-Based Routing¶
Applications that determine content through query parameters are classified as query parameter-based routing.
URL Structure:
https://example.com/?page=login
https://example.com/?section=dashboard&tab=overview
https://example.com/?view=users&action=profile&id=123
Optimization Considerations:
The max_unique_values_per_query_param parameter should be configured to prevent endless parameter exploration. Each query parameter is tracked independently to limit the number of unique values tested per parameter.
Single-URL Applications¶
Applications that dynamically load all content without URL changes are classified as single-URL applications. All navigation occurs within a single URL context through DOM manipulation.
URL Structure:
All navigation and content changes occur within this single URL without modifications to the browser location.
Optimization Considerations:
The single_page_worker: true parameter should be enabled to prevent unnecessary navigation attempts. This configuration focuses scanning on element interaction within the page rather than URL-based navigation.
Iframe Support¶
Iframe content is automatically scanned when the iframe source URL originates from the same application domain (same-origin policy). No additional scan profile configuration is required for same-origin iframe content.
Cross-origin iframe content requires a separate scan profile to be created for the external domain to enable security testing of the embedded content.