Dynamic application security testing (DAST)

 In this post we will look into Dynamic Application security testing.

What is Dast?

    It is a process of testing a running instance of a web application for weaknesses and vulnerabilities. It focuses on blackbox testing approach where vulnerabilities are found just like a regular attacker would find them.  Simply put, DAST identifies vulnerabilities by trying to exploit them, either manually or through automated tools.

   By testing the application from an outside perspective, we can abstract ourselves from its inner workings and focus on identifying vulnerabilities that an attacker would likely find. This means the results obtained from DAST will often point to vulnerabilities requiring prioritized attention as they are expected to be found without prior knowledge of the application.

    It is important to note that DAST doesn't replace other methods to find vulnerabilities in applications, but rather complements them.

    A secure development lifecycle will often mix several techniques in order to provide a good enough vulnerability coverage.

Manual vs Automated DAST

There are two ways in which DAST can be performed:

• Manual DAST: A security engineer will manually perform tests against an application to check for vulnerabilities.
• Automatic DAST: An automated tool will scan the web application for vulnerabilities.

Both processes are complementary and can be used at different stages of the Software Development Lifecycle (SDLC). Combining manual and automated tools will often yield the best results rather than relying on either separately.

DAST in the SDLC

Image src: https://tryhackme-images.s3.amazonaws.com/user-uploads/5ed5961c6276df568891c3ea/room-content/c1d4a406cb5ff3ad78807be4c5e2697b.png

DAST Pros and Cons

As with any other process used to find vulnerabilities in an application, DAST will have its advantages and disadvantages:

Pros: Finds vulnerabilities during runtime. This will include vulnerabilities that are specific to the deployment process, which can't be seen by analysing code alone. DAST will find vulnerabilities like HTTP Request Smuggling, cache poisoning, and parameter pollution that won't be found using SAST. Reduced number of false positives as compared to SAST. DAST tools might be able to find some business logic flaws. The effectivity will depend on the tool, and shouldn't be taken as a replacement for manual testing.

Cons: DAST may not cover specific situations that will only be triggered by specific use cases in your application. Some vulnerabilities may be harder to find using DAST, as compared to static code analysis techniques. Some apps are difficult to be crawled. Modern applications heavily rely on javascript processing for the client-side. This makes it harder for DAST tools to traverse them. DAST scanners won't be able to tell you how to remediate some vulnerabilities in detail.  Some types of scans might take lots of time to finish. You need a running application.