DAST stands for “Dynamic Application Security Testing” , it means analyzing a web application through the front-end to find vulnerabilities through simulated attacks. This type of approach evaluates the application from the “outside in” by attacking an application like a malicious user would.
In this kind of testing you can try attacks like SQL injection , XSS attacks , CSRF attacks , Source code disclosure and more..
The difference between DAST and Static analysis are the following :
- You don’t need an access to the source code
- Attacker does not require to have any prior knowledge about the system or the application
- That is somehow a simulation to what an outsider attacker may do.
- HCL AppScan
- OWASP Zap (also known as Zap Poxy)
- Fortify Web Inspect
Only Zap Proxy is the free tool within the list , but for AppScan you can download the demo version and try it against “Altoro Mutual (testfire.net)“
We’re going to use OWASP Zap to demonstrate a quick example.
Zap has 2 types of attacks :
- Automatic attack , and here you only provide the application url , the tool crawl/spider the application and then run some attacks against the discovered pages.
- Manual attack , and here you are browsing the application manually and use it as a normal user , you can login , register , submit form or any other functionality available on the application.
The benefit here that you can access some pages or functions that the automatic attack can’t , like all the functionality and pages which require user login or having a user session.
Automatic attack Example and steps :
- Open OWASP Zap
- On the “Quick Start” tab you can find “Automatic Scan” icon
3. Enter the url “http://demo.testfire.net” , and press “Attack”
4. Spider tab will be in focus and you can see that the tools is trying to explore the application.
5. After the sider is completed , the “Active Scan” tab will be in focus and you can see that the tool is performing different attacks against the discovered pages and links.
6. Give it some time as the attack can take some time to be done , but you can check the discovered vulnerabilities on the “Alerts” tab.
Manual attack Example and steps :
- Open OWASP Zap
- On the “Quick Start” tab you can find “Manual Explore” icon
- Enter the url and select a browser from the list
4. Press “Lunch Browser” , the browser will be opened and heading to the url entered earlier.
5. Navigate through the application and try different functionality , when you’re done close the browser and check the left site hierarchy.
6. Remove the domains that don’t belong to your application , then right click on the main application directory , attacks , spider.
7. Zap will spider all the links and pages that you didn’t open and by that the application will be totally discovered.
8. The last step is to start an attack , Right click on the main application folder , attack then active scan.
9. Active scan tab will be in focus and you can see that the tool is attacking the application.
10. Give it some time as the attack can take some time to be done , but you can check the discovered vulnerabilities on the “Alerts” tab.
That’s for today 🙂 , hope you find it useful.
Please share your tips, experience, comments, and questions for further enriching this topic of discussion.