DAST: Tickling Live Apps to See What Squeals
Test running applications by throwing everything but the kitchen sink at them. What breaks first?
DAST: Dynamic Application Security Testing
Dynamic Application Security Testing (DAST) tools test an application while it's running. They interact with the application from the outside, like a black-box tester, sending various inputs and observing the outputs and behavior to identify vulnerabilities.
How it Works:
- Simulates attacks against a running application (e.g., sending malicious payloads in HTTP requests).
- Looks for common web vulnerabilities like XSS, SQLi, CSRF, insecure configurations.
- Doesn't need access to source code.
Pros:
- Finds runtime and environment-specific vulnerabilities.
- Lower false positive rate for certain vulnerability types compared to SAST.
Cons:
- Can't find vulnerabilities in code that isn't executed during the test.
- Testing can be slower as it requires a running application.
- May not pinpoint the exact line of vulnerable code.