>_AYSOLI SECURITY HUB
THREAT AREA

Single-Page-Applications (SPA)

Modern SPAs shift a lot of logic into the browser. This creates an excellent user experience but massively increases the attack surface on the client side.

The Challenge

Since all code resides in the user's browser, attackers can analyze and manipulate the application logic. Every action in the frontend must be re-validated by the backend.

Your Strategy

  • SCA & SRI: Scan your dependencies (SCA) and ensure that CDNs do not deliver manipulated scripts (SRI).
  • Session Security: Use state-of-the-art authentication flows (BFF pattern preferred) and protect tokens with secure cookies.
  • Scanning: Integrate DAST scans into your CI/CD pipeline to find vulnerabilities early.

STRIDE-LM Design Risks

SpoofingS-01

Identity Spoofing

Attacker impersonates a legitimate user or partner.

TamperingT-SPA-01

Client-Side Logic Manipulation

Exploitation of business logic incorrectly implemented in the browser.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-WEB-01

Sensitive PII Exposure

Disclosure of personally identifiable information (GDPR risk).

Denial of ServiceD-WEB-01

Application Layer DoS

Exhaustion of resources through complex web requests.

Elevation of PrivilegeE-01

Privilege Escalation

Gaining privileges beyond what is intended.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Reconnaissance
T1595

Active Scanning

ATT&CK

Active scanning of web infrastructure for vulnerabilities.

Mitigated by
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4
Initial Access
T1566

Phishing

ATT&CK

Delivering malicious content via electronic communication.

Mitigated by
Content Security Policy (CSP)Baseline ProtectionMedium
CIS: 16.11OWASP: A03:2021
Security Headers (X-Frame / Content-Type)Baseline ProtectionLow
CIS: 16.11OWASP: A05:2021
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
T1190

Exploit Public-Facing Application

ATT&CK

Exploiting vulnerabilities in internet-facing services.

Mitigated by
Software Composition Analysis (SCA)Extended ProtectionMedium
CIS: 16.7OWASP: A06:2021
Strict Transport Security (TLS 1.3)Baseline ProtectionLow
CIS: 6.3OWASP: A02:2021
Dynamic Application Security Testing (DAST)Extended ProtectionMedium
CIS: 18.1OWASP: ASVS
Execution
T1059-007

JavaScript Injection

ATT&CK

Execution of malicious code in the victim's browser.

Mitigated by
Content Security Policy (CSP)Baseline ProtectionMedium
CIS: 16.11OWASP: A03:2021
Subresource Integrity (SRI)Baseline ProtectionLow
CIS: 16.11OWASP: A06:2021
Dynamic Application Security Testing (DAST)Extended ProtectionMedium
CIS: 18.1OWASP: ASVS
Security Headers (X-Frame / Content-Type)Baseline ProtectionLow
CIS: 16.11OWASP: A05:2021
CORS ConfigurationBaseline ProtectionLow
CIS: 16.11OWASP: A01:2021
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
Credential Access
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Secure Cookie AttributesBaseline ProtectionLow
NIST: PR.DS-1OWASP: A07:2021
JWT Signature VerificationBaseline ProtectionMedium
NIST: PR.AC-1OWASP: API2
Strict Transport Security (TLS 1.3)Baseline ProtectionLow
CIS: 6.3OWASP: A02:2021
T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
T1557

Adversary-in-the-Middle

ATT&CK

Intercepting communication between two parties.

Mitigated by
JWT Signature VerificationBaseline ProtectionMedium
NIST: PR.AC-1OWASP: API2
Strict Transport Security (TLS 1.3)Baseline ProtectionLow
CIS: 6.3OWASP: A02:2021
T1110

Brute Force

ATT&CK

Attempts to gain access to accounts or API keys through systematic trial and error.

Mitigated by
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4
Command & Control
T1568

Dynamic Resolution

ATT&CK

Dynamic generation of targets for concealment (domain fronting).

Mitigated by
Content Security Policy (CSP)Baseline ProtectionMedium
CIS: 16.11OWASP: A03:2021
Subresource Integrity (SRI)Baseline ProtectionLow
CIS: 16.11OWASP: A06:2021
T1071-001

Application Layer Protocol

ATT&CK

Misuse of legitimate web protocols (HTTP/S) for C2 communication.

Mitigated by
Egress Filtering (SSRF Protection)Extended ProtectionMedium
CIS: 12.2OWASP: A10:2021

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation
Single-Page-Applications (SPA) | IT Security Checklist for SMEs · AYSOLI Security Hub