What is a DAST scan?
DAST (dynamic application security testing) is an automated security scan that interacts with your web application to look for security weaknesses and security vulnerabilities. A DAST scan is 'black box' testing. In other words, it sends requests to a live application and examines the responses. This is different from static application security testing (SAST), which examines the static source code for issues.
How does a DAST scan work?
The first step of a DAST scan is crawling your website to discover the pages and APIs. Then the DAST scanner will execute passive and active security tests.
Passive Tests
Passive tests examine the GET responses from crawling the website. Examples of passive vulnerabilities are cross-domain misconfigurations, insecure cookies, and vulnerable js dependencies.
Active Tests
Active tests will POST data, send requests, and submit forms to the web application. Examples of active vulnerabilities are SQL injection, remote command execution, and cross-site scripting.
Learn More
To learn more about the different passive and active vulnerabilities read the info page for our online web application vulnerability scan.
DAST Tools
One of the best DAST tools is OWASP ZAP (Zed Attack Proxy). This open source project is among the world's most widely used DAST scanners and powers the DAST scans of many great companies, such as GitLab and HostedScan.
HostedScan's DAST Scanner
- DAST Scanner powered by OWASP ZAP.
- Supports both traditional HTML web applications and single page applications (SPAs).
- Passive security tests.
- Active security tests.
- Continuous monitoring with scheduled scans.
- Use our APIs to integrate with your CI provider, such as GitHub or CircleCI!
Example DAST scan report