Nowadays, organizations are more worried about the financial and business consequences of having their data stolen. They understand the importance of finding weaknesses in their applications and reducing the associated risks. That’s why they are including application security testing, which involves SAST and DAST, in their software development processes.

DAST tools, also called Web Application Vulnerability Scanners, can identify vulnerabilities in an active application by injecting harmful data to uncover potential flaws that could be exploited by attacks like Cross-site scripting, SQL Injection, Command Injection, Path Traversal, and insecure server configuration. DAST tools can even discover runtime flaws that SAST tools might miss.

So how exactly do DAST tools work and what problems do they address? Well, DAST tools examine the entry points of a web application while it communicates through the user interface. They automatically review the application and also simulate actions and behaviors of malicious users.

These tools intercept, collect, examine, and scrutinize various types of calls such as web cryptography API, keychain, network, filesystem, SQL, content providers, broadcast receivers, URI handlers, and more. They check these calls for vulnerabilities to ensure that each component is functioning as expected and not deviating from the desired behavior.

Some DAST solutions not only focus on the exposed HTTP and HTML interfaces but also test for remote procedure calls and Session Initiation Protocol (SIP), among other things.

DAST tools are particularly useful for detecting:

• Cross-site scripting and SQL injections
• Server configuration errors
• Authentication issues

DAST offers several advantages:

• Scans can be performed on the client-side and server-side without requiring access to the source code or knowledge of the application framework.
• Once configured, they require minimal user interaction and can be scheduled as nightly scans.
• DAST tools generate fewer false positive results compared to SAST tools. If a malicious SQL query can be executed, it indicates a genuine SQL injection vulnerability.
• These scanners can understand arguments and function calls, enabling them to identify vulnerabilities in query strings, headers, fragments, HTTP verbs (GET/POST/PUT), and DOM injections.
• DAST tools can uncover potential configuration issues and vulnerabilities related to third-party components that may go unnoticed if only the application code is analyzed (using SAST).
• They are compatible with various technologies and programming languages.
• DAST tools can be integrated with popular software development lifecycle (SDLC) tools such as issue trackers and continuous integration (CI) pipelines.

However, there are also some disadvantages to consider:

• DAST tools may generate false positive results because they attempt to simulate hacker behavior but have limited understanding of certain dynamic aspects of JavaScript. Consequently, they can struggle to differentiate between a real exploitable vulnerability and one that poses no actual threat.
• The „stress tests“ conducted by DAST tools often yield a larger number of reported issues compared to what the application truly has. Security owners must filter and prioritize the results of a DAST test to focus on genuine vulnerabilities and disregard false positives.
• These tools lack visibility into the internal workings of the application and can only provide an external view of security. Moreover, since DAST tools are typically used towards the end of the software development cycle, vulnerabilities may only be discovered after the development process is complete.
• DAST tools require full compilation after every code change, making it challenging to integrate them seamlessly into agile methodologies and potentially causing scalability issues.

To perform DAST, there are several tools available, and OWASP provides a list of the main Vulnerability Scanners along with the platforms they are compatible with.

To overcome the limitations of DAST, it is recommended to integrate both SAST and DAST approaches. By implementing a comprehensive testing strategy that combines automated tools like SAST and DAST with manual reviews and testing, organizations can enhance their ability to identify and address different security issues before releasing the web application or expanding its user base.