What is DAST?
It is a test conducted from an end-user perspective to detect malicious activities and attacks. Security test cases are performed during runtime, helping identify runtime issues with minimal false positives as real-time requests and responses are analyzed. This method is part of BlackBox testing, where the attacker or malicious user knows only the URL or login interface.
Why is DAST Important?
Since the source code is typically confidential, most attackers target web systems in dynamic environments. Simulating malicious attacks and compromised environments through DAST helps organizations identify bugs before the application’s release. Modern web architectures often lead to misconfigurations, as not all developers are aware of them. DAST helps detect and eliminate many security misconfigurations.
Types of DAST
Dynamic Application Security Testing can be divided into mainly two types, as given below.
Automated DAST
The testing tool uses crawlers and the main URL to scan the system in automated DAST. It also monitors and audits entire web platforms to identify critical vulnerabilities. Every page accessed is logged, along with its request and response from the server.
Automated DAST can be configured to check for denial of service and brute force attacks; however, this may slow down the main site. Therefore, denial of service and brute force tests are generally conducted with the owner’s consent.
Manual DAST
In manual DAST, testing relates to the system’s context. An automated DAST scan cannot identify all vulnerabilities; for instance, business logic vulnerabilities typically fall outside the scope of automated tools, as they cannot be fine-tuned for every situation. Hence, manual DAST is employed.
The tester must understand the system thoroughly and create test cases based on various scenarios that a malicious user could exploit. Requests sent to the server can be genuine or crafted, and the responses are captured manually using proxy tools. This approach allows manual DAST to uncover critical vulnerabilities that automated scans might miss.
Challenges of DAST
DAST is a valuable testing tool that can uncover security vulnerabilities other tools can’t. Though DAST excels in certain areas, it does have its limitations. Let’s look at the challenges.
Session Management
Session management is too difficult as the cookies and tokens may be short-lived in the application. Once a login is done, the login authentication tokens become valid only for some minutes. However, the DAST scan might take hours, depending on the application’s functionalities and inputs. Therefore, after a token expires, the DAST scan cannot test the rest of the functionalities.
A mechanism should be developed to refresh or re-authenticate with the application before the old token expires and use the new token for further requests.
Automated Privilege Escalation
Privilege escalation mechanisms in DAST scans are very rare as automated DAST scans test the application on a pre-defined methodology. Due to the complexity of privilege escalation, depending on the application architecture, automated privilege escalation becomes non-existent.
DAST scanning should include automated scripts designed explicitly for privilege escalation in the context of an application that needs to be tested.
False Negatives and False Positives
Depending on payload signatures, DAST scanning can declare a malicious attempt a false negative or declare a genuine user request a false positive. These false negatives and false positives increase proportionally with the application’s size and user base.
False positives can be removed using manual testing; however, false negatives are not detectable by DAST tools.
Non-crawlable URLs
DAST tools cannot crawl every URL used in the application backend. Sometimes, a single program method at the backend accepts one or more variables for different functionalities. Therefore, DAST tools cannot predict all the variables and their functionalities by themselves.
A manual crawl for each function is the only way to find all URLs related to their respective functionalities.
DAST Best Practices
Following these best practices can ensure better identification, reporting, and fixing of security vulnerabilities
Collaboration with Developers: DAST acts as a feedback mechanism for developers. It tells developers about the loopholes in the application they designed and developed. After a DAST scan is done, developers can use the results to modify their code regarding the vulnerabilities found. After modification, another DAST scan should be done until all the vulnerabilities are taken care of.
Secure Code: As developers become aware of their code’s flaws, they start to develop secure coding practices. Vulnerable methods and logic flaws in programming become less. Unless a new type of threat or zero-day vulnerability does not come to light, secure coding acts as a foolproof defense against cyber attacks.
Integration with Multiple Platforms: Nowadays, applications are developed for multi-platform scenarios. A web application also has its mobile counterpart and APIs. A DAST scan should be done for all the application’s versions and platforms so that the application is secured from all angles.
Combination of Manual and Automated DAST: All applications in which DAST has to be done should follow manual and automated DAST approaches. Automated DAST can quickly find most of the vulnerabilities in the earlier testing phase. A manual DAST scan can remove the false positives found in automated DAST and find new vulnerabilities based on the application context that cannot be tested by automated DAST.
SAST vs DAST
DAST attacks “from the outside in” by attacking the application as a malicious user would. After the DAST scanner performs these attacks, it looks for results that are not in the expected result set and identifies security vulnerabilities.
On the other hand, SAST analyzes static environments, that is, the source code of an application. It examines the application from the inside out, looking for holes in the code. To maximize the strength of your security posture, you should use both SAST and DAST. This unified classification for all testing methods allows you to have a complete view of vulnerabilities.
DAST Tools
Various DAST tools used nowadays are given below.
Burpsuite: It is a proxy tool for detecting vulnerabilities in web and mobile applications. It is available in Enterprise, Professional, and Community editions. The Enterprise and Community editions are mainly used commercially by international organizations, whereas the Community version is a single-user free edition with more minor functionalities. This tool is used for application scanning, bug bounty hunting, and research purposes.
Netsparker: This tool uses dynamic and interactive mechanisms to detect vulnerabilities in the application. Payload request signature testing and behavior testing a part of test cases performed by this tool. It also helps develop secure code practices, as vulnerable codes are highlighted in the scans.
HCL AppScan: It performs automated security testing to prevent cyber attacks. This tool can perform black-box and white-box testing. It can also scan websites and applications to find embedded vulnerabilities.
Indusface WAS: This tool provides a managed DAST solution. It follows a nonintrusive, zero-touch, cloud-based approach to scanning the application. It also guarantees zero false positives and provides the scan report and the remediation steps that need to be taken.
Acunetix: Acunetix performs test cases related to OWASP Top 10, exposed databases, SQL injection, out-of-band vulnerabilities, XSS, security misconfiguration, etc. It crawls through every link on the application while detecting vulnerabilities. This tool can scan multi-level forms, HTML pages, SPA, etc., and it also supports trend graphs and WAF virtual patching.
AppScan: This tool comes in four different versions: standard, source, enterprise, and cloud, each used for different vulnerabilities. The standard version is used for dynamic application scanning. The scan results by standard version are available in a report format with a priority-wise list of vulnerabilities found, starting from the most critical one. Fix recommendations are also included in the report, which can help developers mitigate the vulnerabilities faster.
Checkmarx: Checkmarx is used for multiple types of applications, such as open-source, dynamic and static, interactive APIs, infrastructure as code, etc. Its IAST solution is considered a modern version of DAST scanning as it can be directly implemented in the application’s quality assurance phase and reduces most of the delays that happen in DAST scanning.
Rapid7: It provides a single platform for cloud security, SIEM, Application Security, vulnerability risk management, etc. Its product AppSec is a DAST scanning tool that can automatically assess modern web apps and APIs with low false positives. The scan report also includes the compliance part, and the DAST scan can be scaled for large application sizes.
Conclusion
DAST scans are essential in the ever-changing scenarios of cyber attacks. Doing a DAST scan from the beginning helps secure the application at an early stage. A combination of automated and manual DAST scans provides overall security to the application. Multiple tools are available for DAST scan in the market. As a single tool cannot detect all the vulnerabilities in the application, DAST scan should be done with multiple commercial and open-source DAST tools for better security.