Product Security Glossary

Dynamic Application Security Testing

What is DAST? 

DAST stands for Dynamic Application Security Testing, and consists of performing vulnerability scans of running web applications.  It’s considered as a Black Box type of scan, because the tester has no access to the application source code. 

How Does DAST Work? 

A security professional uses a DAST tool to run simulated attacks against a web application.  The tool sends connection requests that have an attack payload, and then evaluates the response from the web application.  The DAST tool then determines if there any vulnerabilities present in the web application. 

A DAST scan has two phases.  For the first phase, the security professional points the scanning tool to the home URL of the web application.  The tool then crawls through the entire site, finding as many internal URLs as possible.  Once the list of URLs is complete, the tool starts the second phase, by sending the connection requests and their malicious payloads to each URL on the list. 

What Can DAST Find? 

A DAST scan can find problems that could allow successful SQL Injection attacks, Cross-site Scripting attacks, and several others types as well.  The types of attacks that a DAST scan can find would enable a bad actor to steal or manipulate sensitive data, deface a web site, or plant malware on the site. 

What are the Advantages of DAST? 

There are three main advantages of including a DAST tool in your security toolbox.  First, DAST is somewhat platform-agnostic.  This means that it doesn’t matter what programming language was used to build the web application, or which operating system or web server is used to host the site.  The main requirement is that the DAST tool can log into the site and crawl through to collect the URLs.  Unfortunately, this platform agnosticism isn’t quite as big of an advantage as we would like, because the DAST tool needs to be tuned for specific web applications in order to achieve best results. 

The other advantage is that professional penetration testers can use DAST tools to help automate parts of their otherwise manual penetration process.  By automating parameter fuzzing and inserting lists of malicious payloads, DAST tools can make parts of the penetration testing process somewhat easier. 

The third main advantage is that DAST can find vulnerabilities that might get missed in a static code analysis. 

What are the Disadvantages of DAST? 

Even though DAST sounds pretty good, there are a few downsides.  To begin with, DAST tools don’t find all that many problems.  According to the OWASP Benchmark, a tool that evaluates the effectiveness of various Application Security Testing tools, DAST can find only about 18% of the security vulnerabilities in a complex web application.   
Unclear reporting of vulnerabilities is also a problem.  A DAST scan will show a lot of information about problems that it finds, but it won’t show where the problem is in the application source code.  It’s up to the development teams to figure that out. 

A DAST scan can be very slow, especially with complex web applications.  There’s no support for zero-day vulnerabilities, and it doesn’t work with modern technologies such as APIs, JSON, and SOAP. 

Still, even with the downsides, you might find that a DAST tool could be a useful part of your security toolset.