|
| 1 | +--- |
| 2 | + |
| 3 | +title: DAST |
| 4 | +layout: col-document |
| 5 | +tags: OWASP Developer Guide |
| 6 | +contributors: Jon Gadsden, Johan Sydseter |
| 7 | +document: OWASP Developer Guide |
| 8 | +order: 821 |
| 9 | +permalink: /draft/verification/tools/dast/ |
| 10 | + |
| 11 | +--- |
| 12 | + |
| 13 | +{% include breadcrumb.html %} |
| 14 | + |
| 15 | +<style type="text/css"> |
| 16 | +.image-right { |
| 17 | + height: 180px; |
| 18 | + display: block; |
| 19 | + margin-left: auto; |
| 20 | + margin-right: auto; |
| 21 | + float: right; |
| 22 | +} |
| 23 | +</style> |
| 24 | + |
| 25 | +Dynamic application security testing (DAST) represents a non-functional testing process to identify security weaknesses and |
| 26 | +vulnerabilities in applications. The testing process can be carried out manually or be automated. Manual assessment of an |
| 27 | +application involves human intervention to identify security flaws which might slip from an automated tool. Usually |
| 28 | +business logic errors, race condition checks, and certain zero-day vulnerabilities can only be identified using manual |
| 29 | +assessments. |
| 30 | + |
| 31 | +### 6.2.1 DAST tools |
| 32 | + |
| 33 | +DAST tools are programs which communicates with a web application through the web front-end in order to identify potential |
| 34 | +security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test. Unlike static |
| 35 | +application security testing tools, DAST tools do not have access to the source code and therefore detect vulnerabilities |
| 36 | +by actually performing attacks. |
| 37 | + |
| 38 | +#### Different DAST tools |
| 39 | + |
| 40 | +The OWASP Community projects contains a [list of DAST tools][dast] can be used to conduct DAST. All of these tools have |
| 41 | +their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the |
| 42 | +[OWASP Benchmark][benchmark] project, which attempts to scientifically measure the effectiveness of all types of |
| 43 | +vulnerability detection tools, including DAST. |
| 44 | + |
| 45 | +#### Why use it? |
| 46 | + |
| 47 | +The big advantage of these types of tools are that they can scan year-round to be constantly searching for vulnerabilities. |
| 48 | +With new vulnerabilities being discovered regularly this allows companies to find and patch vulnerabilities before they |
| 49 | +can become exploited. |
| 50 | + |
| 51 | +#### Cons |
| 52 | + |
| 53 | +Because these tools does dynamic testing, it cannot cover 100% of the source code of the application and then, the |
| 54 | +application itself. The penetration tester should look at the coverage of the web application or of its attack surface to |
| 55 | +know if the tool was configured correctly or was able to understand the web application. |
| 56 | + |
| 57 | +#### References |
| 58 | + |
| 59 | +* [Dynamic application security testing][wikipedia] |
| 60 | +* [Vulnerability Scanning Tools][dast] |
| 61 | + |
| 62 | +---- |
| 63 | + |
| 64 | +The OWASP Developer Guide is a community effort; if there is something that needs changing |
| 65 | +then [submit an issue][issue080201] or [edit on GitHub][edit080201]. |
| 66 | + |
| 67 | +[benchmark]: https://owasp.org/www-project-benchmark/ |
| 68 | +[dast]: https://owasp.org/www-community/Vulnerability_Scanning_Tools |
| 69 | +[edit080201]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/08-verification/02-tools/01-dast.md |
| 70 | +[issue080201]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2008-verification/02-tools/01-dast |
| 71 | +[wikipedia]: https://en.wikipedia.org/wiki/Dynamic_application_security_testing |
| 72 | + |
| 73 | +\newpage |
0 commit comments