Content deleted Content added
simplify sections |
Link suggestions feature: 3 links added. Tags: Visual edit Mobile edit Mobile web edit Newcomer task Suggested: add links |
||
| (One intermediate revision by one other user not shown) | |||
Line 1:
{{Short description|Testing process to determine security weaknesses}}
'''Dynamic application security testing''' ('''DAST''') represents a [[non-functional testing]] process to identify security weaknesses and vulnerabilities in an application. This testing process can be carried out either manually or by using automated tools. Manual assessment of an application involves human intervention to identify the security flaws which might slip from an automated tool. Usually [[business logic]] errors, [[race condition]] checks, and certain [[Zero-day vulnerability|zero-day vulnerabilities]] can only be identified using manual assessments.
On the other side, a DAST tool is a program which communicates with a [[web application]] through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses.<ref>[http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria Web Application Security Scanner Evaluation Criteria version 1.0], WASC, 2009</ref> It performs a [[black-box]] test. Unlike [[static application security testing]] tools, DAST tools do not have access to the source code and therefore detect [[Vulnerability (computing)|vulnerabilities]] by actually performing attacks.
DAST tools allow sophisticated scans, detecting vulnerabilities with minimal user interactions once configured with host name, crawling parameters and authentication credentials. These tools will attempt to detect vulnerabilities in query strings, headers, fragments, verbs (GET/POST/PUT) and DOM injection.
| |||