In today’s world, web application development has become an integral part of business processes. As technology has evolved and applications have become more interactive, the security risks have also increased. Cybercriminals and hackers are actively looking for vulnerabilities to gain unauthorised access to sensitive data and cause damage to companies and users. Various methodologies and tools have been developed to minimise security risks and secure applications, one of which is DAST.
What is DAST
Dynamic Application Security Testing (DAST) is a method of testing the security of web applications by analysing their dynamic behaviour in real time. This approach actively interacts with the application by performing a variety of queries and operations to identify vulnerabilities that can be exploited by attackers. The main advantage of DAST is that it can detect vulnerabilities that are only available at runtime of the application.
How DAST works
A key component of DAST is its ability to automatically create and send requests to a target application and then analyse the responses for vulnerabilities. In this process, DAST accesses the application as a real user, interacting with various interface elements and testing its functionality for vulnerabilities in code and configuration.
Opportunities and limitations of DAST
DAST provides a number of meaningful benefits, including:
Real-world vulnerability detection
DAST allows you to examine an application as if it were a real user, helping you identify complex vulnerabilities hidden from other security testing methods.
Using DAST, you can significantly reduce testing time by automating the process of creating queries and analysing responses.
DAST is suitable for large and complex web applications, as it can interact with different parts of the application at the same time.
However, DAST has its limitations
Limitations in detecting some vulnerabilities
Some types of vulnerabilities, such as incorrect server configuration or problems with CSRF (cross-site request forgery) protection, may not be available for detection when using DAST alone.
DAST can sometimes produce false positives, requiring manual analysis and additional checks.
Application of DAST in development and safety
DAST finds its application in various stages of web application development and maintenance:
DAST helps you identify vulnerabilities and flaws in your application code, so you can fix them before release.
When releasing updates
DAST helps ensure that new versions of an application do not introduce new vulnerabilities or compromise security.
DAST is used to regularly test security and identify new vulnerabilities after an application is released.
• Wapiti is a free DAST tool written in the Python programming language. It provides capabilities to scan for web application vulnerabilities such as SQL injection, XSS, LFI (Local File Inclusion) and many others. Wapiti has a simple command line interface and supports many parameters to customise scanning.
How to install Wapiti on Kali Linux:
sudo apt install wapiti
To start a manual, use:
The scanner generates a report on its termination, it looks like this:
• OWASP ZAP is a free and open source tool for DAST developed by the OWASP community. It provides a wide range of features and supports many types of analyses. OWASP ZAP has a graphical user interface, which makes it more accessible to different users.
How to install OWASP ZAP on Kali Linux:
sudo apt install zaproxy
To run OWASP ZAP, type in terminal:
When the scan is complete, you will see the vulnerabilities found by the scanner in this form:
• Nikto is a free tool for scanning for vulnerabilities in web servers and web applications. It allows you to detect various known vulnerabilities and configuration errors.
How to install Nikto on Kali Linux:
sudo apt install nikto
To open the manual, you can run a command like this:
At the end of the scan, the tool generates a report like this:
• Skipfish is an actively developed vulnerability scanning tool created by Google. It has fast scanning and good performance.
Run the following commands to install it in Kali Linux:
sudo apt install -y skipfish
To open the manual, type in the terminal
This is the kind of report the scanner gives after its operation:
• WPScan is a specialised vulnerability scanning tool for websites on the WordPress platform.
Run the following commands to install in Kali Linux:
sudo apt install -y wpscan
To open the manual, use:
After the scan is finished, the scanner gives this report:
Comparison of DAST and SAST
Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) are two primary approaches to software security testing, including web applications. Each of them has unique characteristics and can detect different types of vulnerabilities.
Dynamic Application Security Testing (DAST):
DAST is a security testing method that analyzes a web application during its runtime. It actively interacts with the application, sending requests and analyzing responses in real-time. The primary advantage of DAST is its ability to detect vulnerabilities that are only accessible during the application’s execution.
Examples of vulnerabilities detected by DAST:
Cross-Site Scripting (XSS) vulnerabilities: DAST can detect vulnerabilities that allow attackers to inject malicious scripts into web pages and execute them on users’ computers.
SQL Injection (SQLi) vulnerabilities: DAST can identify vulnerabilities that allow attackers to execute malicious SQL queries on the application’s database.
Cross-Site Request Forgery (CSRF) vulnerabilities: DAST can detect vulnerabilities that enable attackers to send requests on behalf of authenticated users without their consent.
Static Application Security Testing (SAST):
SAST is a security testing method that analyzes the source code of an application without its execution. It looks for potential vulnerabilities in the code, such as insufficient filtering of user input or unsafe data operations. SAST can detect vulnerabilities that exist in the code before its execution.
Examples of vulnerabilities detected by SAST:
Insecure data handling: SAST can identify vulnerabilities related to incorrect data handling and storage, such as memory leaks, improper use of pointers, and more.
Insufficient input validation: SAST can search for vulnerabilities related to inadequate filtering or validation of user input, which can lead to injection and other attacks.
Authentication and authorization vulnerabilities: SAST can discover issues with user authentication and authorization, such as weak password encryption algorithms or access control errors.
Advantages of using DAST and SAST together:
Combining DAST and SAST can significantly improve the overall effectiveness of application security testing and provide comprehensive coverage of vulnerabilities. Here are some benefits of using both methods together:
DAST and SAST have different vulnerability detection capabilities. Combining them allows for the identification of a wide range of vulnerabilities, from code-related issues to vulnerabilities visible only during application runtime.
SAST can provide detailed code analysis and identify potential problem areas that DAST can confirm or refute through real interactions with the application. This helps eliminate false positives and focus efforts on actual vulnerabilities.
SAST scans the entire application’s source code, allowing detection of issues in all parts of the application, including those that cannot be tested using DAST.
SAST can be integrated into the development process, monitoring code security in its early stages, enabling the elimination of vulnerabilities before the application is launched.
Integrating DAST and SAST with Continuous Integration and Continuous Delivery (CI/CD) automates security testing at every stage of development and delivery.
When both methods confirm a vulnerability, it is considered more reliable, enabling a more effective response and appropriate remediation measures.
Dynamic Application Security Testing (DAST) is a powerful tool for identifying vulnerabilities in web applications, ensuring their security and protection against cyber-attacks. However, for comprehensive security, DAST is best used in conjunction with other testing methods, such as Static Application Security Testing (SAST) and manual code auditing. When used appropriately, DAST helps identify vulnerabilities and improve the security of web applications, ensuring the safety of users and preventing potential cyber threats.