Skip to content

Latest commit

 

History

History
33 lines (27 loc) · 2.93 KB

2-3-1-Dynamic-Application-Security-Testing.md

File metadata and controls

33 lines (27 loc) · 2.93 KB
Raw

Dynamic Application Security Testing (DAST)

DAST is a “Black-Box” testing technique that can find security vulnerabilities and weaknesses in a running application by injecting malicious payloads to identify potential flaws that allow for attacks like SQL injections or cross-site scripting (XSS), etc. DAST tools are especially helpful for detecting:

  • Input or output validation
  • Authentication issues
  • Server configuration mistakes

DAST tools allow for extensive scans from the client side and server side without needing the source code or the framework the application is built on. While configuration requires expertise, scans usually require minimal user interaction once configured and can be run as part of a nightly scan. As more important DAST tools we can look at the following:

  • Dynamic security scanner
  • Fuzzers
  • Attack Proxies

Tools

  • Open-source:

    • ZED Attack Proxy - It is an open source tool which is offered by OWASP for performing security testing
    • OWASP Nettacker - Automated information gathering and vulnerability scanner with API and Web UI.

  • Commercial:

    • Acunetix - An automatic web security testing scanner that accurately scans and audits all web applications, including HTML5, JavaScript and Single Page applications (SPAs)
    • Netsparker - It can identify vulnerabilities in all types of modern web applications, regardless of the underlying architecture or platform
    • InsightAppSec (AppSpider) - Application security testing for the modern web
    • Veracode Dynamic Analysis - Veracode Dynamic Analysis helps companies scan their web applications for exploitable vulnerabilities at scale
    • Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
    • HCL AppScan on Cloud - DAST tool built as a service. It can scan both public and privatly hosted application. Can explore and test modern web applications, leverage manually recorded steps and handle complex login scenarios.
    • Nuclei - Fast and customisable vulnerability scanner based on simple YAML based DSL.
    • Dastardly - Lightweight web application security scanner designed to run in CI/CD pipelines.

References