docs: rewrite user-facing documentation with screenshots (#11)

docs/features/dast.md

@@ -1,10 +1,14 @@
 # DAST Scanning
 
-DAST (Dynamic Application Security Testing) performs black-box security testing against live web applications and APIs. Unlike SAST which analyzes source code, DAST tests running applications by sending crafted requests and analyzing responses.
+DAST (Dynamic Application Security Testing) performs black-box security testing against live web applications and APIs. Unlike SAST which analyzes source code, DAST tests running applications by sending crafted requests and analyzing responses for vulnerabilities.
 
 ## DAST Overview
 
-Navigate to **DAST** in the sidebar to see the overview page with:
+Navigate to **DAST** in the sidebar to see the overview page.
+
+![DAST overview with scan runs and finding counts](/screenshots/dast-overview.png)
+
+The overview shows:
 
 - Total DAST scans performed
 - Total DAST findings discovered
@@ -21,29 +25,29 @@ Navigate to **DAST > Targets** to configure applications to test.
 2. Enter the **base URL** (e.g. `https://staging.example.com`)
 3. Click **Add Target**
 
-### Target Configuration
+### Target Settings
 
 Each target supports these settings:
 
-| Setting | Description | Default |
-|---------|-------------|---------|
-| **Target Type** | WebApp, REST API, or GraphQL | WebApp |
-| **Max Crawl Depth** | How many link levels to follow | 5 |
-| **Rate Limit** | Maximum requests per second | 10 |
-| **Destructive Tests** | Allow DELETE/PUT requests | No |
-| **Excluded Paths** | URL paths to skip during testing | — |
+| Setting | Description |
+|---------|-------------|
+| **Target Type** | WebApp, REST API, or GraphQL |
+| **Max Crawl Depth** | How many link levels to follow |
+| **Rate Limit** | Maximum requests per second |
+| **Destructive Tests** | Allow DELETE/PUT requests |
+| **Excluded Paths** | URL paths to skip during testing |
 
 ### Authentication
 
-DAST supports authenticated scanning with multiple methods:
+DAST supports authenticated scanning so it can test pages behind login:
 
-| Method | Configuration |
-|--------|--------------|
+| Method | Description |
+|--------|------------|
 | **None** | No authentication |
-| **Basic** | Username and password (HTTP Basic Auth) |
-| **Bearer** | Bearer token (Authorization header) |
+| **Basic** | HTTP Basic Auth with username and password |
+| **Bearer** | Bearer token in the Authorization header |
 | **Cookie** | Session cookie value |
-| **Form** | Login URL, username field, password field, and credentials |
+| **Form** | Login form with URL, field names, and credentials |
 
 ::: warning
 Authenticated scans access more of the application surface. Only test applications you own or have explicit authorization to test.
@@ -51,37 +55,15 @@ Authenticated scans access more of the application surface. Only test applicatio
 
 ## Running a DAST Scan
 
-Click the **Scan** button on any target row. The scan runs through these phases:
+Click the **Scan** button on any target row. The scan progresses through:
 
-1. **Crawl** — Discovers pages, forms, and API endpoints by following links and analyzing JavaScript
-2. **Test** — Sends attack payloads to discovered parameters
-3. **Report** — Collects results and generates findings
+1. **Crawl** -- discovers pages, forms, and API endpoints by following links and analyzing JavaScript
+2. **Test** -- sends attack payloads to discovered parameters
+3. **Report** -- collects results and generates findings
 
-The scan uses a headless Chromium browser (the `chromium` service in Docker Compose) for JavaScript rendering during crawling.
+## Viewing DAST Findings
 
-## DAST Scan Agents
-
-The scanner includes specialized testing agents:
-
-### API Fuzzer
-Tests API endpoints with malformed inputs, boundary values, and injection payloads.
-
-### XSS Scanner
-Detects Cross-Site Scripting vulnerabilities by injecting script payloads into form fields, URL parameters, and headers.
-
-### SSRF Scanner
-Tests for Server-Side Request Forgery by injecting internal URLs and cloud metadata endpoints into parameters.
-
-### Auth Bypass Scanner
-Tests for authentication and authorization bypass by manipulating tokens, sessions, and access control headers.
-
-## DAST Findings
-
-Navigate to **DAST > Findings** to see all discovered vulnerabilities.
-
-### Finding List
-
-Each finding shows:
+Navigate to **DAST > Findings** to see all discovered vulnerabilities. Each finding shows:
 
 | Column | Description |
 |--------|-------------|
@@ -92,21 +74,8 @@ Each finding shows:
 | Method | HTTP method (GET, POST, PUT, DELETE) |
 | Exploitable | Whether the vulnerability was confirmed exploitable |
 
-### Finding Detail
-
-Click a finding to see full details:
-
-- **Vulnerability type** and CWE identifier
-- **Endpoint URL** and HTTP method
-- **Parameter** that is vulnerable
-- **Exploitability** — Confirmed or Unconfirmed
-- **Description** — What the vulnerability is and why it matters
-- **Remediation** — How to fix the issue
-- **Evidence** — One or more request/response pairs showing:
-  - The crafted HTTP request (method, URL, headers)
-  - The payload that triggered the vulnerability
-  - The HTTP response status and relevant snippet
+Click a finding to see full details including the CWE identifier, vulnerable parameter, remediation guidance, and evidence showing the exact request/response pairs that triggered the finding.
 
 ::: tip
-Findings marked as **Confirmed** exploitable were verified by the scanner with a successful attack. **Unconfirmed** findings show suspicious behavior that may indicate a vulnerability but could not be fully exploited.
+Findings marked as **Confirmed** exploitable were verified with a successful attack payload. **Unconfirmed** findings show suspicious behavior that may indicate a vulnerability but could not be fully exploited.
 :::