Sep 5, 18 8:43 pm

Was this post helpful?

DAST Tools: What They Are Good At Finding

Sep 5, 2018
| by:
Sherif Koussa

Your application is secure? Prove it!

In a galaxy far, far away there is a dark magic button to find all security vulnerabilities in all applications created or ever be created.  No specific knowledge is required, just press the button and get results.

It sounds a bit unrealistic but that’s how Dynamic Analysis Security Testing (DAST) tools work, or at least from user’s perspective. DAST utilizes Black Box testing methodology when it is not required to have any knowledge about the application’s code, structure, or internal architecture. You must find the inputs and define what is normal a normal output and what is an exception, then tests each of them. DAST requires a running instance of the application where it determines completeness of the scan by a path coverage metric. If all possible inputs were tested, then path coverage is 100%.

To provide good coverage the DAST tool needs to “learn” an application by visiting web pages and extracting URLs for other pages.

To provide good coverage the DAST tool needs to “learn” an application by visiting web pages and extracting URLs for other pages. It can be a fully automated process where the DAST tool scans and tries to find all inputs, or it can be done with the assistance of people and other resources. DAST tools can act as a proxy, listening to traffic and “learning” the application. Manual (a user visits the website) or automated (recorded user’s actions are re-played with web driver) browsing can be used to generate starting points for DAST tools.

While DAST is essential for application security testing it cannot provide a complete overview of all vulnerabilities.​

Once inputs are defined, an active scan phase begins. Numerous requests are sent to the application to detect deviations from expected results. While DAST is essential for application security testing it cannot provide a complete overview of all vulnerabilities. Unfortunately, not all found bugs are vulnerabilities, DAST tools can generate a lot of false positives. However, confirmed issues can often be easily re-tested.

DAST tools operate in runtime, they work the best to find authentication, session management, and access control issues. Because it is a black box testing with no  knowledge of the context, some issues can be related to using 3rd party components. Various misconfigurations can also be found only in runtime.

DAST is also effective as a static code analyzer for finding different injection issues. The most notorious are SQL injections, Cross-site scripting, and OS command injections. Buffer overflow is another critical vulnerability that can be found with DAST  fuzzing user input and sending a specific combination of characters to crash an application.

Effectiveness of DAST depends on how well it knows the application and the number of tests that will be performed.  It does not work as fast as static code analyzers and it requires a working environment, but it is still a great way to test the whole application from an attacker’s perspective.

[Want to explore our security assessment process?]

Was this post helpful?

About the Author

Sherif Koussa
Sherif Koussa is OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and founder and CEO of Software Secured and Reshift. In addition to contributing to OWASP Ottawa for over 14 years, Sherif contributed to WebGoat, and OWASP Cheat Sheets. Sherif also helped the SANS and GIAC organizations launch their GSSP-Java and GSSP-NET exams and contributed to a few of their courses. After switching from the software development field to the security field, Sherif took on the mission of supporting developers shifting security left, and ship more secure code organically.
Share This Post

Leave a Reply

Your email address will not be published.

Related Post

Office

301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
© 2022
Software Secured