DAST Scanning
DAST (Dynamic Application Security Testing) performs black-box security testing against live web applications and APIs. Unlike SAST which analyzes source code, DAST tests running applications by sending crafted requests and analyzing responses.
DAST Overview
Navigate to DAST in the sidebar to see the overview page with:
- Total DAST scans performed
- Total DAST findings discovered
- Number of active targets
- Recent scan run history with status, phase, and finding counts
Managing Targets
Navigate to DAST > Targets to configure applications to test.
Adding a Target
- Enter a target name (descriptive label)
- Enter the base URL (e.g.
https://staging.example.com) - Click Add Target
Target Configuration
Each target supports these settings:
| Setting | Description | Default |
|---|---|---|
| Target Type | WebApp, REST API, or GraphQL | WebApp |
| Max Crawl Depth | How many link levels to follow | 5 |
| Rate Limit | Maximum requests per second | 10 |
| Destructive Tests | Allow DELETE/PUT requests | No |
| Excluded Paths | URL paths to skip during testing | — |
Authentication
DAST supports authenticated scanning with multiple methods:
| Method | Configuration |
|---|---|
| None | No authentication |
| Basic | Username and password (HTTP Basic Auth) |
| Bearer | Bearer token (Authorization header) |
| Cookie | Session cookie value |
| Form | Login URL, username field, password field, and credentials |
WARNING
Authenticated scans access more of the application surface. Only test applications you own or have explicit authorization to test.
Running a DAST Scan
Click the Scan button on any target row. The scan runs through these phases:
- Crawl — Discovers pages, forms, and API endpoints by following links and analyzing JavaScript
- Test — Sends attack payloads to discovered parameters
- Report — Collects results and generates findings
The scan uses a headless Chromium browser (the chromium service in Docker Compose) for JavaScript rendering during crawling.
DAST Scan Agents
The scanner includes specialized testing agents:
API Fuzzer
Tests API endpoints with malformed inputs, boundary values, and injection payloads.
XSS Scanner
Detects Cross-Site Scripting vulnerabilities by injecting script payloads into form fields, URL parameters, and headers.
SSRF Scanner
Tests for Server-Side Request Forgery by injecting internal URLs and cloud metadata endpoints into parameters.
Auth Bypass Scanner
Tests for authentication and authorization bypass by manipulating tokens, sessions, and access control headers.
DAST Findings
Navigate to DAST > Findings to see all discovered vulnerabilities.
Finding List
Each finding shows:
| Column | Description |
|---|---|
| Severity | Critical, High, Medium, or Low |
| Type | Vulnerability category (SQL Injection, XSS, SSRF, etc.) |
| Title | Description of the vulnerability |
| Endpoint | The HTTP path that is vulnerable |
| Method | HTTP method (GET, POST, PUT, DELETE) |
| Exploitable | Whether the vulnerability was confirmed exploitable |
Finding Detail
Click a finding to see full details:
- Vulnerability type and CWE identifier
- Endpoint URL and HTTP method
- Parameter that is vulnerable
- Exploitability — Confirmed or Unconfirmed
- Description — What the vulnerability is and why it matters
- Remediation — How to fix the issue
- Evidence — One or more request/response pairs showing:
- The crafted HTTP request (method, URL, headers)
- The payload that triggered the vulnerability
- The HTTP response status and relevant snippet
TIP
Findings marked as Confirmed exploitable were verified by the scanner with a successful attack. Unconfirmed findings show suspicious behavior that may indicate a vulnerability but could not be fully exploited.