NextGen Security Scanners

Problem statement

Today’s security scanners were built for yesterday’s web applications, based on server-side rendering concepts. They often fail or at least lack functionality when it comes to modern web applications using rich Javascript clients.


  • What makes scanning Javascript-heavy applications so different?
  • What functionality is missing in today’s scanner tools?
  • How to improve the automation parts of existing tools?
  • How to further assist users during proxied manual pentests?
  • How can vulnerable applications like OWASP Juice Shop be used by scanner vendors as a sample victim?

Participant candidates

  • OWASP ZAP, Arachni and other OSS scanner developers
  • Burp, Acunetix and other commercial scanner developers
  • Javascript frontend developers
  • Web application developers

Potential outcomes

  • OWASP ZAP extensions for Javascript client-side code analysis
  • Improvements of OWASP ZAP Ajax Spider
  • Additional vulnerabilities for OWASP Juice Shop that showcase vulnerabilities found in the wild

Back to list of all Working Sessions and Tracks

Edit this page here