DAST Overview
What is DAST scanning?
Dynamic Application Security Testing (DAST) is a type of black-box security testing that actively investigates web applications to detect possible security vulnerabilities. Rapid7’s DAST scans include a number of testing components along with real-world attacks that operate while the application is in its “run” state.
What can I expect from a DAST scan?
While DAST scans can be noisy and tend to generate a lot of traffic in a short period of time, they generally have very little impact on the application itself and its resources. The goal of DAST scanning is to test and verify the strength of an application's input sanitization routines, error handling and inspect the web pages for best practices. This is done in a variety of ways both through passive and active attacks. DAST scans can be run as authenticated and unauthenticated, which will each have varying results.
What can go wrong?
- Application Denial of Service (DOS): this is often caused by a lack of computing resources dedicated to the application, scanning during high use times, or inefficient code/database interaction.
- Database Pollution: when an application accepts user input, oftentimes it has a purpose to write to a backend database. If input sanitation has weak controls, then messy payloads used by the scanner will also be written to the backend database