Skip to content

2-4-2-Dynamic-Application-Security-Testing.md

Latest commit

 

History

History
43 lines (29 loc) · 3.18 KB

2-4-2-Dynamic-Application-Security-Testing.md

File metadata and controls

43 lines (29 loc) · 3.18 KB

Dynamic Application Security Testing (DAST)

DAST is a “Black-Box” testing technique that can find security vulnerabilities and weaknesses in a running application by injecting malicious payloads to identify potential flaws that allow for attacks like SQL injections or cross-site scripting (XSS), etc. DAST tools are especially helpful for detecting:

  • Input or output validation
  • Authentication issues
  • Server configuration mistakes

DAST tools allow for extensive scans from the client side and server side without needing the source code or the framework the application is built on. While configuration requires expertise, scans usually require minimal user interaction once configured and can be run as part of a nightly scan. As more important DAST tools we can look at the following:

  • Dynamic security scanner
  • Fuzzers
  • Attack Proxies

Tools1

Open-source

  • OWASP Nettacker - Automated information gathering and vulnerability scanner with API and Web UI.
  • ZED Attack Proxy - It is an open source tool which is offered by OWASP for performing security testing

Commercial

  • Acunetix - An automatic web security testing scanner that accurately scans and audits all web applications, including HTML5, JavaScript and Single Page applications (SPAs)
  • Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
  • Dastardly - Lightweight web application security scanner designed to run in CI/CD pipelines.
  • HCL AppScan on Cloud - DAST tool built as a service. It can scan both public and privatly hosted application. Can explore and test modern web applications, leverage manually recorded steps and handle complex login scenarios.
  • InsightAppSec (AppSpider) - Application security testing for the modern web
  • Netsparker - It can identify vulnerabilities in all types of modern web applications, regardless of the underlying architecture or platform
  • Nuclei - Fast and customisable vulnerability scanner based on simple YAML based DSL.
  • Veracode Dynamic Analysis - Veracode Dynamic Analysis helps companies scan their web applications for exploitable vulnerabilities at scale.
  • Escape DAST - Escape DAST is purposely built for testing for business logic vulnerabilities at scale and handling complex auth scenarios in modern applications: APIs (including GraphQL) and Single Page Apps (SPAs)

Links

Footnotes

  1. Listed in alphabetical order.