This page documents the network orchestration layer of ABSpider Recon. Because the application is a zero-backend React SPA, it faces significant challenges regarding Cross-Origin Resource Sharing (CORS) and browser-level request limitations. The system solves this through a specialized RequestManager that handles rate limiting and retries, coupled with a multi-stage CORS bypass strategy involving a Vercel Edge Function proxy.
The RequestManager class is the central coordinator for all network activity during a scan. It wraps the fetchWithBypass utility to provide features necessary for stable security reconnaissance.
minRequestInterval (default 200ms) src/services/requestManager.ts22-23RequestMetrics (metricsBufferSize: 50) to calculate average response times and error rates src/services/requestManager.ts24-186scanController signal, allowing for an immediate "Stop Scan" that kills all pending network I/O src/services/requestManager.ts27-60The manager uses a "combined signal" pattern. It merges the global scan-level AbortSignal with a request-specific timeout signal. If either triggers, the request is terminated src/services/requestManager.ts69-140
This diagram shows how RequestManager processes a single fetch call through its internal state and rate limiter.
"RequestManager Lifecycle"
Sources: src/services/requestManager.ts33-126 src/services/requestManager.ts142-154
Since browsers block direct requests to foreign domains (e.g., scanning a target's security.txt or headers), ABSpider Recon employs a two-tier bypass strategy implemented in corsProxy.ts.
The system first attempts a direct fetch from the browser with mode: 'cors' and specialized CLOUDFLARE_BYPASS_HEADERS src/services/corsProxy.ts4-166 This succeeds if the target has permissive CORS headers or is a known public API.
If the direct fetch fails or returns a 403/503 (indicating WAF/Cloudflare protection), the system routes the request through the api/proxy.ts Edge Function src/services/corsProxy.ts176-198
This diagram bridges the natural language concept of "CORS Bypass" to the specific code entities involved.
"CORS Bypass Data Flow"
Sources: src/services/corsProxy.ts134-222 api/proxy.ts6-92
api/proxy.ts)The proxy is implemented as a Vercel Edge Function to minimize latency. It acts as a transparent relay that strips problematic browser headers and injects necessary CORS headers into the response.
| Feature | Implementation Detail |
|---|---|
| Runtime | edge api/proxy.ts3 |
| Header Filtering | Strictly allows accept, user-agent, authorization, content-type, etc. api/proxy.ts47-53 |
| CORS Injection | Sets Access-Control-Allow-Origin: * on all proxied responses api/proxy.ts11-73 |
| Method Support | Forwards GET, POST, and handles OPTIONS preflight api/proxy.ts13-61 |
Sources: api/proxy.ts1-92
The cloudflareBypass.ts service provides specialized detection and evasion techniques specifically for targets behind Cloudflare protection.
cf-ray headers or specific HTML strings like "DDoS protection by Cloudflare" src/services/cloudflareBypass.ts9-78corsProxy instance src/services/cloudflareBypass.ts116-118Sources: src/services/cloudflareBypass.ts38-90 src/services/cloudflareBypass.ts92-145
The RequestManager tracks the health of the network layer, which is utilized by the UI to inform the user of the connection status.
!response.ok src/services/requestManager.ts91-183adjustMinRequestInterval(newInterval) method allows the scan engine to slow down requests if the error rate climbs src/services/requestManager.ts189-192CORSBypassIndicator component displays a badge (Direct Fetch vs CORS Proxy Used) based on the CORSBypassMetadata returned by the proxy service src/components/CORSBypassIndicator.tsx11-41Sources: src/services/requestManager.ts168-201 src/components/CORSBypassIndicator.tsx1-77
Refresh this wiki
This wiki was recently refreshed. Please wait 6 days to refresh again.