DAST tools facilitate the automated review of a web application with the express purpose of discovering security vulnerabilities and are required to comply with various regulatory requirements. Web application scanners can look for a wide variety of vulnerabilities, such as input/output validation: (e.g. [[cross-site scripting]] and [[SQL injection]]), specific application problems and server configuration mistakes.
In a copyrighted report published in March 2012 by security vendor Cenzic, the most common application vulnerabilities in recently tested applications include:<ref>{{cite web|url=https://info.cenzic.com/Trend-Report-Application-Security.html|archive-url=https://archive.today/20121217132011/https://info.cenzic.com/Trend-Report-Application-Security.html|url-status=dead|archive-date=17 December 2012|title=2012 Trends Report: Application Security Risks|publisher=Cenzic, Inc.|date=11 March 2012|accessdate=9 July 2012}}</ref>
{| class="wikitable" style="text-align: left;"
Line 61 ⟶ 59:
The tool cannot implement all variants of attacks for a given vulnerability. So the tools generally have a predefined list of attacks and do not generate the attack payloads depending on the tested web application. Some tools are also quite limited in their understanding of the behavior of applications with dynamic content such as [[JavaScript]] and [[Adobe Flash|Flash]].
A report from 2012 found that the top application technologies overlooked by most Web application scanners includes [[jQuery]], [[REST]], and Google WebToolkit in [[AJAX]] applications, Flash Remoting (AMF) and [[HTML5]], as well as mobile apps and Web Services using [[JSON]] and REST. [[XML-RPC]] and SOAP technologies used in Web services, and complex workflows such as shopping cart, and [[Cross-site request forgery|XSRF/CSRF]] tokens.<ref>[http://www.securityweek.com/web-application-scanners-challenged-modern-web-technologies Web Application Scanners Challenged By Modern Web Technologies]. SecurityWeek.Com (2012-10-25). Retrieved on 2014-06-10.</ref>
<ref>[https://pentesting.company/web-application-security-testing/ Web Application Security Testing] Retrieved 2020-11-04</ref>
