DAST Scanner
Dynamic Application Security Testing (DAST) analyzes web applications from the outside, identifying vulnerabilities by testing running applications.
Estimated reading time: 15 minutes
Table of Contents
Overview
DAST (Dynamic Application Security Testing) is a security testing methodology that analyzes web applications from an external perspective, simulating how an attacker would interact with your application. Unlike SAST, which analyzes source code, DAST tests running applications in their deployed state.
RaSEC's DAST Scanner combines traditional security testing with AI-powered analysis to identify vulnerabilities, misconfigurations, and security weaknesses. It performs comprehensive analysis including page structure analysis, form extraction, security headers checking, and AI-powered vulnerability detection.
Key Features: Multi-iteration analysis, AI-powered vulnerability detection, automatic form extraction, security headers analysis, and comprehensive page structure analysis.
Scan Types
Recon Scan
Fast, passive reconnaissance focused on public information gathering and technology fingerprinting.
- Public exploit search and CVE database lookup
- Technology stack identification
- Exposed administrative panels and subdomains
- Search engine indexed sensitive files
- Past security incidents investigation
Use Case: Quick initial assessment, public information gathering, technology identification. Single iteration for speed.
Active Scan
Comprehensive active testing that probes inputs and analyzes application behavior.
- Input parameter testing for injection vulnerabilities
- SQL injection and command injection detection
- Cross-site scripting (XSS) testing
- Business logic vulnerability analysis
- Information disclosure detection
- Access control testing
Use Case: Thorough security assessment, vulnerability exploitation testing, comprehensive security audit. Uses 2-3 iterations for thorough analysis.
Greybox Scan
Combines DAST with SAST by analyzing both server responses and client-side JavaScript code.
- All Active Scan capabilities
- Client-side JavaScript analysis
- DOM XSS source/sink identification
- Hardcoded secrets detection
- API endpoint discovery from JavaScript
- Correlation of dynamic behavior with code weaknesses
Use Case: Most comprehensive analysis, combining external and internal perspectives. Best for thorough security audits. Uses 2-3 iterations.
How It Works
1. Page Fetching and Analysis
The scanner fetches the target URL with SSRF protection, validates the response, and extracts page information including title, status code, content type, and technologies detected.
2. Component Extraction
Automatically extracts forms, links, scripts, and cookies from the HTML. Analyzes form fields for security issues like password fields without HTTPS, file uploads without restrictions, etc.
3. Security Headers Analysis
Checks HTTP security headers including CSP, HSTS, X-Frame-Options, X-Content-Type-Options, and others. Identifies missing or misconfigured headers.
4. AI-Powered Vulnerability Detection
Uses advanced AI models to analyze the page structure, forms, scripts, and headers to identify potential vulnerabilities. For Active and Greybox scans, performs multiple iterations with different analysis focuses to maximize coverage.
5. Risk Scoring
Calculates a security score based on discovered vulnerabilities, with severity weights: Critical (40), High (25), Medium (15), Low (5), Info (0). Maximum risk score is 100.
API Reference
Endpoint
POST /api/tools/dastRequires authentication and tools:run permission.
Rate Limiting: DAST scans are rate-limited per organization. Check rate limit headers in responses for current limits.
Request Parameters
url (required)
The target URL to scan. Must be a valid HTTP or HTTPS URL.
"url": "https://example.com"scanType (optional)
Type of scan to perform. Default: "recon"
"recon"- Fast reconnaissance"active"- Active vulnerability testing"greybox"- Combined DAST + SAST
depth (optional)
Scan depth (1-5). Affects number of iterations for Active/Greybox scans. Default: 1
Depth 1-2: 2 iterations, Depth 3+: 3 iterations for more thorough analysis
checkHeaders (optional)
Whether to analyze security headers. Default: true
extractForms (optional)
Whether to extract and analyze forms. Default: true
Response Format
Success Response (200 OK)
{
"success": true,
"result": {
"url": "https://example.com",
"scanType": "active",
"pageInfo": {
"title": "Example Domain",
"status": 200,
"contentType": "text/html",
"responseTime": 245,
"contentLength": 1256,
"technologies": ["nginx", "react"],
"cookies": [...]
},
"securityScore": 75,
"riskLevel": "medium",
"securityIssues": [
{
"severity": "high",
"category": "headers",
"title": "Missing Content-Security-Policy",
"description": "...",
"recommendation": "..."
}
],
"issuesSummary": {
"critical": 0,
"high": 2,
"medium": 5,
"low": 3,
"info": 1
},
"pageAnalysis": {
"forms": {
"total": 2,
"withPassword": 1,
"withFile": 0,
"details": [...]
},
"links": {
"total": 15,
"internal": 12,
"external": 3
},
"scripts": {
"total": 5,
"inline": 2,
"external": 3
}
},
"aiAnalysis": {
"analyzedTarget": "https://example.com",
"vulnerabilities": [...]
},
"recommendations": [...]
},
"metadata": {
"url": "https://example.com",
"scanType": "active",
"depth": 1,
"durationMs": 3450,
"runId": "uuid",
"model": "meta-llama/llama-3.3-70b-instruct:free",
"provider": "openrouter"
}
}Error Response (400 Bad Request)
{
"error": "Validation failed",
"details": {
"fieldErrors": {
"url": ["Invalid URL"]
}
}
}Examples
Basic Recon Scan
curl -X POST https://rasec.app/api/tools/dast \
-H "<AUTH_HEADER>" \
-H "Content-Type: application/json" \
-d '{
"url": "https://example.com",
"scanType": "recon"
}'Replace <AUTH_HEADER> with your Authorization header (Bearer scheme required).
Active Scan with Depth
curl -X POST https://rasec.app/api/tools/dast \
-H "<AUTH_HEADER>" \
-H "Content-Type: application/json" \
-d '{
"url": "https://example.com",
"scanType": "active",
"depth": 3,
"checkHeaders": true,
"extractForms": true
}'JavaScript Example
const authHeader = ['Bearer', apiToken].join(' ');
const response = await fetch('https://rasec.app/api/tools/dast', {
method: 'POST',
headers: {
'Authorization': authHeader,
'Content-Type': 'application/json',
},
body: JSON.stringify({
url: 'https://example.com',
scanType: 'greybox',
depth: 2,
}),
});
const result = await response.json();
console.log('Security Score:', result.result.securityScore);
console.log('Vulnerabilities:', result.result.securityIssues.length);Best Practices
Start with Recon Scans
Begin with fast Recon scans to identify technology stack and public information. Use Active or Greybox scans for deeper analysis after initial assessment.
Use Appropriate Scan Depth
Depth 1-2 is sufficient for most scans. Use depth 3+ only for comprehensive audits as it increases analysis time significantly.
Respect Rate Limits
Monitor rate limit headers and implement exponential backoff for retries. Consider batching scans for multiple URLs.
Review AI Analysis Carefully
AI-powered analysis provides valuable insights but should be validated manually. Always verify findings before reporting vulnerabilities.
Use Greybox for Comprehensive Testing
Greybox scans provide the most thorough analysis by combining external testing with client-side code analysis. Use for critical applications.
Next Steps
Learn more about complementary security testing tools: