Introduction to DAST Scanning

DAST, or Dynamic Application Security Testing, is a form of testing that every software development team should consider using. To save us the trouble of writing the simpler, more straightforward description, here’s a lightly edited version of what ChatGPT says about DAST scanning:

Dynamic Application Security Testing (DAST) is a technique used to identify security vulnerabilities in web applications by simulating an attack on the application. DAST scanning typically involves using a tool to send malicious requests to the target web application and analyzing the response to identify potential security weaknesses.

DAST scans are conducted from the outside of the application, simulating an attacker with no access to the application's source code or architecture. This allows DAST scans to identify vulnerabilities that may be missed by other testing techniques, such as Static Application Security Testing (SAST).

DAST scans can detect a range of vulnerabilities, including Cross-Site Scripting (XSS) and SQL injection. DAST tools can also be used to generate reports and prioritize vulnerabilities based on severity, allowing developers to find and prioritize the most critical issues.

Overall, DAST scanning is an important part of a comprehensive web application security testing strategy, helping to identify vulnerabilities before they can be exploited by attackers.

ChatGPT summed up the basics of DAST scanning and its benefits decently well. The only thing we'd add is that because DAST scanners simulate attacks, they are not going to find items that can only be found by examining source code, such as exposed secrets in your source code or improperly-implemented cryptography. So rather than digging in further about the benefits of DAST scanning we'll link to several of the many popular DAST scanners (in alphabetical order) in case you want to learn more from vendors:

• AppScan - Formerly offered by IBM, a popular choice for large enterprises
• AppSpider - A complex but highly configurable option
• Arachni - A good, free scanner that in no longer being supported
• Burp Enterprise - A newer but decent product offered by Portswigger, an Application Security-focused company we highly respect
• Detectify - A relatively new product but looks like and up-and-comer
• Invicti - Parent company for both Acunetix and Netsparker
• Qualys WAS (Web Application Scanner) - Qualys primarily caters to infrastructure/network security folks, but they also have a Web Application Scanner
• Veracode - Like AppScan, Veracode is a popular choice for large enterprises

In addition to these, both OWASP ZAP and Burp Suite Professional have DAST-like capabilities in addition to their proxy/penetration testing features.

DAST Pitfalls

While DAST scanning can indeed be an important part of a comprehensive web application security testing strategy, DAST scanning has its drawbacks and difficulties, too. Here are the primary ones that we have run across:

Quality Scanning Can Be Difficult

Scanners will often have trouble understanding your website. When this happens, they often return results that make it look like a quality scan was done but no results were returned. This can fool you into thinking that your website is relatively safe when it may not be. Here are some common issues we've encountered: SPA, WAF, Different Domains, iframes

• A Single-Page Application (SPA) framework confuses the scanner
• A website is hidden behind a Web Application Firewall which hides many exploitable vulnerabilities
• The website has an API, necessary JavaScript, or other content that the scanner doesn' load because it is in a different domain or sub-domain
• The website uses iframes which the scanner ignores
• The website has some unusual functionality that the scanner doesn't understand (and therefore ignores)

Configuring DAST scans to work around these issues is possible, but difficult and time-consuming. In our experience, many teams don't perform quality DAST scans because they don't even notice scan issues, much less know how to fix them. We can help, of course, so contact us if you would like help.

Vulnerabilities Scanned Just Look the Same

Most scanners tell you that they scan for the same types of vulnerabilities. While this is technically true, most scanners aren't as good at scanning for certain items vs. others. For instance, despite having very similar sets of vulnerabilities in their library, Qualys WAS, a product sold by a company that focuses on selling products to network and infrastructure security specialists, usually finds a different set of vulnerabilities than Burp Enterprise, a product sold by a company that focuses on selling products to application penetration testers. Therefore, it is important that you do your due diligence into scanners around scan quality before purchasing a product.

Are You Really Scanning For That Issue?

It is important to note that some vulnerabilities are easier to find than others. SQL injection is a relatively easy item to find. Cross-Site Request Forgery (CSRF) issues are not &mdash at least we haven't run across a scanner that seems to find genuine CSRF issues consistently. Documentation around what works and what doesn' seems to be rare. For instance, ChatGPT must have picked up that DAST scanners will scan for authentication and authorization issues because it claimed so in its summary, but we removed this because our experience is that these are areas where DAST scanners are typically not good at finding issues. Therefore, if there is an issue that you are particularly concerned about, don't trust that your scanner will find it just because it says it will. Verification is well worth your time here.

Too Much Noise or Too Many Missed Items?

Most DAST scanners produce a lot of "noise", or items that either are false positives or don't really need to be fixed (because they are only exploitable in dead browsers, are mitigated elsewhere, etc.). Scanners that reduce this noise almost invariably reduce the number of true positives it finds. If/when you do start DAST scanning, be prepared to spend time on research and triaging findings — preferrably with a security expert who can help interpret the findings reported by the tool.

Scans (Usually) Take a Long Time

The faster developers get feedback (whether about security or otherwise) the easier problems can be addressed. With this in mind, the ideal scenario for development teams would be that DAST scans would be run after code is checked in to give developers feedback as early as possible. The challenge here is that DAST scans usually take hours to complete. Expect to be disappointed if you want immediate feedback. Instead, consider running scans overnight or over the weekend to give yourself and your team plenty of time to fix items without waiting an inordinate amount of time for results.

Scanning Can Be Destructive

Does your website send out emails if an error occurs or a form (such as a Contact Me form) is submitted? Expect a DAST scan to trigger those emails hundreds, if not thousands, of times. Does your website send data to an external system that should remain relatively clean? Expect to clean up data in that external system. Does your website have an admin page that deletes data that you need for testing? Expect a scanner to delete some of this data during a scan. Scanners will click all links and submit all forms it finds, probably hundreds of times, so if something bad can happen, it probably will.

Given this, should you scan in production?

There are good security folks who will argue both sides of this one. However, our experience is that most of the folks who advocate for doing full scans in production aren't the ones directly responsible for websites that go haywire during a scan. We have been, and largely due to those experiences we do not generally recommend performing DAST scans in production.

If you still want to scan in production, and assuming you're doing full scans in a test environment, we recommend doing unauthenticated scans that do GET requests only in production, which will find most configuration issues but will reduce the risk of something damaging occurring.

So, Should You Use DAST Scanners?

We highly recommend scanning your test environments on a regular basis using a good DAST scanner. Doing so will help you find vulnerabilities before your attackers do and will save you and your company from potential embarrassments and headaches. Getting started may be harder than what DAST vendors would like to think, but it's well worth it to help keep you, your company, and your customers safer.

Have any questions about anything presented here or do you have anything to add? Please comment below!

Further Questions?

If you have further questions about this post or anything else related to securing your websites and custom-built software, you can:

• Use our general question form, which gives you the option to ask questions privately
• Schedule a one-hour consultation with our founder
• Use our comment form below: