Dynamic application security testing: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 14:05, 10 September 2019 edit Mauls (talk \| contribs) Autopatrolled, Extended confirmed users 156,652 edits m Mauls moved page Dynamic Application Security Testing to Dynamic application security testing ← Previous edit		Latest revision as of 20:31, 26 August 2025 edit undo JBayl (talk \| contribs) 4 edits Link suggestions feature: 3 links added. Tags: Visual edit Mobile edit Mobile web edit Newcomer task Suggested: add links
(43 intermediate revisions by 31 users not shown)
Line 1: {{Short description\|Testing process to determine security weaknesses}} A '''Dynamic Application Security Testing''' (DAST) tool is a program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses.<ref>[http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria Web Application Security Scanner Evaluation Criteria version 1.0], WASC, 2009</ref> It performs a [[black-box]] test. Unlike [[Static Application Security Testing]] tools, DAST tools do not have access to the source code and therefore detect [[Vulnerability (computing)\|vulnerabilities]] by actually performing attacks.▼ '''Dynamic application security testing''' ('''DAST''') represents a [[non-functional testing]] process to identify security weaknesses and vulnerabilities in an application. This testing process can be carried out either manually or by using automated tools. Manual assessment of an application involves human intervention to identify the security flaws which might slip from an automated tool. Usually [[business logic]] errors, [[race condition]] checks, and certain [[Zero-day vulnerability\|zero-day vulnerabilities]] can only be identified using manual assessments. ▲AOn ~~'''Dynamic~~the ~~Application~~other ~~Security~~side, ~~Testing'''~~a (DAST) tool is a program which communicates with a [[web application]] through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses.<ref>[http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria Web Application Security Scanner Evaluation Criteria version 1.0], WASC, 2009</ref> It performs a [[black-box]] test. Unlike [[~~Static~~static ~~Application~~application ~~Security~~security ~~Testing~~testing]] tools, DAST tools do not have access to the source code and therefore detect [[Vulnerability (computing)\|vulnerabilities]] by actually performing attacks. DAST tools allow sophisticated scans, detecting vulnerabilities with minimal user interactions once configured with host name, crawling parameters and authentication credentials. These tools will attempt to detect vulnerabilities in query strings, headers, fragments, verbs (GET/POST/PUT) and DOM injection. Customers benefit from the convenience of these applications, while tacitly taking on risk that private information stored in web applications will be compromised through hacker attacks and insider leaks. According to the Privacy Rights Clearinghouse, more than 18 million customer records have been compromised in 2012 due to insufficient security controls on corporate data and web applications.<ref>{{cite web \|url=http://www.privacyrights.org/data-breach/new/\|title=Chronology of Data Breaches\|publisher=Privacy Rights Clearinghouse\|date=9 July 2012\|accessdate=9 July 2012 }}</ref> ==Overview== DAST tools facilitate the automated review of a web application with the ~~expressed~~express purpose of discovering security vulnerabilities, and are required to comply with various regulatory requirements. Web application scanners can look for a wide variety of vulnerabilities, such as input/output validation: (e.g. [[cross-site scripting]] and [[SQL injection]]), specific application problems and server configuration mistakes. In a copyrighted report published in March 2012 by security vendor Cenzic, the most common application vulnerabilities in recently tested applications include:<ref>{{cite web\|url=https://info.cenzic.com/Trend-Report-Application-Security.html\|title=2012 Trends Report: Application Security Risks\|publisher=Cenzic, Inc.\|date=11 March 2012\|accessdate=9 July 2012}}{{Dead link\|date=July 2019 \|bot=InternetArchiveBot \|fix-attempted=yes }}</ref> ~~{\| class="wikitable" style="text-align: left;"~~ \|- ~~\| 37% \|\| [[Cross Site Scripting]]~~ \|- ~~\| 16% \|\| [[SQL Injection]]~~ \|- ~~\| 5% \|\| [[Path Disclosure]]~~ \|- ~~\| 5% \|\| [[Denial-of-service attack\|Denial of Service]]~~ \|- ~~\| 4% \|\| [[Arbitrary code execution\|Code Execution]]~~ \|- ~~\| 4% \|\| [[Memory corruption]]~~ \|- ~~\| 4% \|\| [[Cross-site request forgery\|Cross Site Request Forgery]]~~ \|- ~~\| 3% \|\| [[Data breach\|Information Disclosure]]~~ \|- ~~\| 3% \|\| [[File inclusion vulnerability\|Arbitrary File]]~~ \|- ~~\| 2% \|\| [[File inclusion vulnerability\|Local File Inclusion]]~~ \|- ~~\| 1% \|\| [[File inclusion vulnerability\|Remote File Include]]~~ \|- ~~\| 1% \|\| [[Buffer overflow]]~~ \|- ~~\| 15% \|\| Other ([[Code injection\|PHP Injection]], [[Code injection\|Javascript Injection]], etc.)~~ \|} ==Commercial and open-source scanners== Commercial scanners are a category of web-assessment tools which need to be ~~bought with a specific price (usually quite high)~~purchased. Some scanners include some free features but most need to be bought for full access to the tool's power. Open-source scanners are often free of cost to the user. And open-source scanners are another class which are free in nature. They are the best of the category since their source code is open and the user gets to know what is happening unlike commercial scanners. ===Strengths=== Security researcher Shay Chen has previously compiled a exhaustive list of both commercial and open-source web application security scanners.<ref>[http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html Comparison of Cloud & On-Premises Web Application Security Scanning Solutions]. SecToolMarket.com Retrieved 2017-03-17</ref> The list also highlights how each of the scanners performed during his benchmarking tests against the WAVSEP. These tools can detect vulnerabilities of the finalized [[release candidate]] versions prior to shipping. Scanners simulate a malicious user by attacking and probing, identifying results which are not part of the expected result set, allowing for a realistic attack simulation.<ref>{{Cite web\|title=SAST vs DAST\|url=https://research.g2.com/insights/sast-vs-dast\|url-status=live\|website=G2 Research Hub\|archive-url=https://web.archive.org/web/20200503220256/https://research.g2.com/insights/sast-vs-dast \|archive-date=2020-05-03 }}</ref> The big advantage of these types of tools are that they can scan year-round to be constantly searching for vulnerabilities. With new vulnerabilities being discovered regularly this allows companies to find and patch vulnerabilities before they can become exploited.<ref>{{Cite web\|title=The Importance of Regular Vulnerability Scanning\|url=https://appcheck-ng.com/importance-of-vulnerability-scanning/\|url-status=live\|website=AppCheck Ltd\|archive-url=https://web.archive.org/web/20200806101730/https://appcheck-ng.com/importance-of-vulnerability-scanning/ \|archive-date=2020-08-06 }}</ref> As a dynamic testing tool, web scanners are not language -dependent. A web application scanner is able to scan engine-driven web applications. Attackers use the same tools, so if the tools can find a vulnerability, so can attackers.<ref>{{Cite web \|last=Bashvitz \|first=Gadi \|title=DAST Pros and Cons \|url=https://brightsec.com/blog/dast-dynamic-application-security-testing/ \|access-date=2023-03-21 \|website=Bright Security}}</ref>▼ The WAVSEP platform is publicly available and can be used to evaluate the various aspects of web application scanners: technology support, performance, accuracy, coverage and result consistency.<ref>[https://github.com/sectooladdict/wavsep/wiki WAVSEP Platform] Retrieved 2017-03-17</ref> ===~~DAST Strengths~~Weaknesses=== While scanning with a DAST tool, data may be overwritten or malicious payloads injected into the subject site. Sites should be scanned in a production -like, but non-production environment to ensure accurate results while protecting the data in the production environment.▼ These tools can detect vulnerabilities of the finalized [[release candidate]] versions prior to shipping. Scanners simulate a malicious user by attacking and probing, identifying results which are not part of the expected result set. ▲As a dynamic testing tool, web scanners are not language dependent. A web application scanner is able to scan engine-driven web applications. Attackers use the same tools, so if the tools can find a vulnerability, so can attackers. ~~===DAST Weaknesses===~~ ▲While scanning with a DAST tool, data may be overwritten or malicious payloads injected into the subject site. Sites should be scanned in a production like, but non-production environment to ensure accurate results while protecting the data in the production environment. Because the tool is implementing a [[dynamic testing]] method, it cannot cover 100% of the source code of the application and then, the application itself. The penetration tester should look at the coverage of the web application or of its [[attack surface]] to know if the tool was configured correctly or was able to understand the web application. Line 61 ⟶ 26: The tool cannot implement all variants of attacks for a given vulnerability. So the tools generally have a predefined list of attacks and do not generate the attack payloads depending on the tested web application. Some tools are also quite limited in their understanding of the behavior of applications with dynamic content such as [[JavaScript]] and [[Adobe Flash\|Flash]]. == See also == A report from 2012 found that the top application technologies overlooked by most Web application scanners includes [[JSON]] (such as [[jQuery]]), [[REST]], and Google WebToolkit in [[AJAX]] applications, Flash Remoting (AMF) and [[HTML5]], as well as mobile apps and Web Services using [[JSON]] and REST. [[XML-RPC]] and SOAP technologies used in Web services, and complex workflows such as shopping cart, and [[Cross-site request forgery\|XSRF/CSRF]] tokens were also listed.<ref>[http://www.securityweek.com/web-application-scanners-challenged-modern-web-technologies Web Application Scanners Challenged By Modern Web Technologies]. SecurityWeek.Com (2012-10-25). Retrieved on 2014-06-10.</ref> * [[Security testing]] * [[Static application security testing]] * [[Interactive application security testing]] ==References== Line 68 ⟶ 37: ==External links== [http://www.webappsec.org/projects/wassec/ Web Application Security Scanner Evaluation Criteria] from the [http://www.webappsec.org Web Application Security Consortium] (WASC) [~~http~~https://~~samate~~www.nist.gov/~~index.php~~itl/ssd/~~Web_Application_Vulnerability_Scanners.html~~software-quality-group/web-application-scanners Web Application ~~Vulnerability~~ Scanners], ~~a wiki~~ operated by the [[National Institute of Standards and Technology\|NIST]] [http://www.cgisecurity.com/scannerchallenges.html Challenges faced by automated web application security assessment] from Robert Auger [http://projects.webappsec.org/Web-Application-Security-Scanner-List The WASC security scanner list] [https://mosaicsecurity.com/categories/33-webbased-application-security-scanners List of Web-based Application Scanners], Mosaic Security Research [https://events.ccc.de/congress/2011/Fahrplan/attachments/2024_Dont_scan_just_ask_Fabian_Mihailowitsch.pdf Identifying Web Applications] from Fabian Mihailowitsch {{DEFAULTSORT:Web Application Security Scanner}} [[Category:~~Computer~~Security ~~security software~~testing]] [[Category:~~Computer~~Dynamic ~~network~~program ~~security~~analysis]]