Dynamic application security testing: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 01:16, 22 June 2007 edit NEUrOO (talk \| contribs) 68 edits →Strengths ← Previous edit		Latest revision as of 20:31, 26 August 2025 edit undo JBayl (talk \| contribs) 4 edits Link suggestions feature: 3 links added. Tags: Visual edit Mobile edit Mobile web edit Newcomer task Suggested: add links
(282 intermediate revisions by more than 100 users not shown)
Line 1: {{Short description\|Testing process to determine security weaknesses}} ~~{{wikify}}~~ '''Dynamic application security testing''' ('''DAST''') represents a [[non-functional testing]] process to identify security weaknesses and vulnerabilities in an application. This testing process can be carried out either manually or by using automated tools. Manual assessment of an application involves human intervention to identify the security flaws which might slip from an automated tool. Usually [[business logic]] errors, [[race condition]] checks, and certain [[Zero-day vulnerability\|zero-day vulnerabilities]] can only be identified using manual assessments. On the other side, a DAST tool is a program which communicates with a [[web application]] through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses.<ref>[http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria Web Application Security Scanner Evaluation Criteria version 1.0], WASC, 2009</ref> It performs a [[black-box]] test. Unlike [[static application security testing]] tools, DAST tools do not have access to the source code and therefore detect [[Vulnerability (computing)\|vulnerabilities]] by actually performing attacks. ~~Web Application Security Scanners (or Web Application Vulnerability Scanners) are tools designed to automatically scan web applications for vulnerabilities.~~ ~~These tools work as black-box analyzer; meaning that, unlike Source Code Scanners, they don't access the source code and then, need to detect the vulnerabilities by performing attacks.~~ DAST tools allow sophisticated scans, detecting vulnerabilities with minimal user interactions once configured with host name, crawling parameters and authentication credentials. These tools will attempt to detect vulnerabilities in query strings, headers, fragments, verbs (GET/POST/PUT) and DOM injection. ~~== Strengths and weaknesses ==~~ ~~The web application security scanner is not a perfect tool, it has strength and weaknesses.~~ === Weaknesses and limitations ===▼ * Because the tool is implementing a dynamic testing method, it cannot cover 100% of the source code of the application and then, the application itself.▼ * It is really hard for a tool to find lots of logical flaws such as the use of weak cryptographic functions * Even for technical flaws, if the application doesn't give enough clue, the tool cannot catch it * The tool cannot implement all variants of type of attacks for all vulnerabilities, this would take too long time to launch every attacks * ==~~= Strengths =~~Overview== DAST tools facilitate the automated review of a web application with the express purpose of discovering security vulnerabilities and are required to comply with various regulatory requirements. Web application scanners can look for a wide variety of vulnerabilities, such as input/output validation: (e.g. [[cross-site scripting]] and [[SQL injection]]), specific application problems and server configuration mistakes. * The tool is able to analyze the finalize product * It simulate a real attacker by performing attack and try to probe what vulnerabilities are beside the result * As a dynamic tool, it is not language dependent. A web application scanner is able to scan a JSP, PHP or whatever application with the same engine. ==Commercial and open-source scanners== ~~== Some Instances ==~~ Commercial scanners are a category of web-assessment tools which need to be purchased. Some scanners include some free features but most need to be bought for full access to the tool's power. Open-source scanners are often free of cost to the user. ~~=== Commercial tools ===~~ * [http://www.acunetix.com Acunetix WVS] by Acunetix * [http://watchfire.com/products/appscan/default.aspx AppScan] by Watchfire, Inc. * [http://www.cenzic.com/products_services/cenzic_hailstorm.php Hailstorm] by Cenzic * [http://nstalker.com/eng/products/nstealth/ N-Stealth] by N-Stalker * [http://www.ntobjectives.com/products/ntospider.php NTOSpider] by NTObjectives * [http://www.spidynamics.com/products/webinspect/index.html WebInspect] by SPI Dynamics * [http://parasoft.com/jsp/products/home.jsp?product=WebKing&itemID=86 WebKing] by Parasoft === ~~Free/OpenSource Tools~~ Strengths=== These tools can detect vulnerabilities of the finalized [[release candidate]] versions prior to shipping. Scanners simulate a malicious user by attacking and probing, identifying results which are not part of the expected result set, allowing for a realistic attack simulation.<ref>{{Cite web\|title=SAST vs DAST\|url=https://research.g2.com/insights/sast-vs-dast\|url-status=live\|website=G2 Research Hub\|archive-url=https://web.archive.org/web/20200503220256/https://research.g2.com/insights/sast-vs-dast \|archive-date=2020-05-03 }}</ref> The big advantage of these types of tools are that they can scan year-round to be constantly searching for vulnerabilities. With new vulnerabilities being discovered regularly this allows companies to find and patch vulnerabilities before they can become exploited.<ref>{{Cite web\|title=The Importance of Regular Vulnerability Scanning\|url=https://appcheck-ng.com/importance-of-vulnerability-scanning/\|url-status=live\|website=AppCheck Ltd\|archive-url=https://web.archive.org/web/20200806101730/https://appcheck-ng.com/importance-of-vulnerability-scanning/ \|archive-date=2020-08-06 }}</ref> * [http://rgaucher.info/beta/grabber Grabber] by Romain Gaucher * [http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project Pantera] by Simon Roses Femerling (OWASP Project) * [http://parosproxy.org/index.shtml Paros] by Chinotec * [http://www.immunitysec.com/resources-freesoftware.shtml Spike Proxy] by Immunity (Now as OWASP Pantera) * [http://www.pushtotest.com/Downloads/features.html TestMaker] by Pushtotest * [http://w3af.sourceforge.net W3AF] by Andres Riancho * [http://wapiti.sourceforge.net Wapiti] by Nicolas Surribas * [http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] by Rogan Dawes of Aspect Security (OWASP Project) As a dynamic testing tool, web scanners are not language-dependent. A web application scanner is able to scan engine-driven web applications. Attackers use the same tools, so if the tools can find a vulnerability, so can attackers.<ref>{{Cite web \|last=Bashvitz \|first=Gadi \|title=DAST Pros and Cons \|url=https://brightsec.com/blog/dast-dynamic-application-security-testing/ \|access-date=2023-03-21 \|website=Bright Security}}</ref> ~~= Web Application Vulnerabilities Scanner projects =~~ * The [http://webappsec.org WASC] is starting a Web Application Security Scanner Evaluation Criteria (WASSEC) project▼ * The [http://nist.gov NIST] is also running a Web Application Security Scanner Evaluation project in the [http://samate.nist.gov SAMATE] project * A more general [http://www.owasp.org/index.php/Category:OWASP_Tools_Project Tool Project] from [http://owasp.org OWASP] which include the Web Application Security Scanner ▲=== Weaknesses ~~and limitations~~ === While scanning with a DAST tool, data may be overwritten or malicious payloads injected into the subject site. Sites should be scanned in a production-like but non-production environment to ensure accurate results while protecting the data in the production environment. ▲* Because the tool is implementing a [[dynamic testing]] method, it cannot cover 100% of the source code of the application and then, the application itself. The penetration tester should look at the coverage of the web application or of its [[attack surface]] to know if the tool was configured correctly or was able to understand the web application. The tool cannot implement all variants of attacks for a given vulnerability. So the tools generally have a predefined list of attacks and do not generate the attack payloads depending on the tested web application. Some tools are also quite limited in their understanding of the behavior of applications with dynamic content such as [[JavaScript]] and [[Adobe Flash\|Flash]]. ~~{{computer-stub}}~~ == See also == * [[Security testing]] * [[Static application security testing]] * [[Interactive application security testing]] ==References== {{reflist}} ==External links== ▲* ~~The~~ [http://www.webappsec.org ~~WASC] is starting a~~/projects/wassec/ Web Application Security Scanner Evaluation Criteria] from the [http://www.webappsec.org Web Application Security Consortium] (~~WASSEC~~WASC) ~~project~~ [https://www.nist.gov/itl/ssd/software-quality-group/web-application-scanners Web Application Scanners], operated by the [[National Institute of Standards and Technology\|NIST]] [http://www.cgisecurity.com/scannerchallenges.html Challenges faced by automated web application security assessment] from Robert Auger *[http://projects.webappsec.org/Web-Application-Security-Scanner-List The WASC security scanner list] {{DEFAULTSORT:Web Application Security Scanner}} [[Category:Security testing]] [[Category:Dynamic program analysis]]