In a galaxy far, far away there is a dark magic button to find all security vulnerabilities in all applications created or ever be created. No specific knowledge is required, just press the button and get results.
It sounds a bit unrealistic but that’s how Dynamic Analysis Security Testing (DAST) tools work, or at least from user’s perspective. DAST utilizes Black Box testing methodology when it is not required to have any knowledge about the application’s code, structure, or internal architecture. You must find the inputs and define what is normal a normal output and what is an exception, then tests each of them. DAST requires a running instance of the application where it determines completeness of the scan by a path coverage metric. If all possible inputs were tested, then path coverage is 100%.
To provide good coverage the DAST tool needs to “learn” an application by visiting web pages and extracting URLs for other pages.
To provide good coverage the DAST tool needs to “learn” an application by visiting web pages and extracting URLs for other pages. It can be a fully automated process where the DAST tool scans and tries to find all inputs, or it can be done with the assistance of people and other resources. DAST tools can act as a proxy, listening to traffic and “learning” the application. Manual (a user visits the website) or automated (recorded user’s actions are re-played with web driver) browsing can be used to generate starting points for DAST tools.
While DAST is essential for application security testing it cannot provide a complete overview of all vulnerabilities.
Once inputs are defined, an active scan phase begins. Numerous requests are sent to the application to detect deviations from expected results. While DAST is essential for application security testing it cannot provide a complete overview of all vulnerabilities. Unfortunately, not all found bugs are vulnerabilities, DAST tools can generate a lot of false positives. However, confirmed issues can often be easily re-tested.
DAST tools operate in runtime, they work the best to find authentication, session management, and access control issues. Because it is a black box testing with no knowledge of the context, some issues can be related to using 3rd party components. Various misconfigurations can also be found only in runtime.
DAST is also effective as a static code analyzer for finding different injection issues. The most notorious are SQL injections, Cross-site scripting, and OS command injections. Buffer overflow is another critical vulnerability that can be found with DAST fuzzing user input and sending a specific combination of characters to crash an application.
Effectiveness of DAST depends on how well it knows the application and the number of tests that will be performed. It does not work as fast as static code analyzers and it requires a working environment, but it is still a great way to test the whole application from an attacker’s perspective.