docs: added vite-press docs (#4)
Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #4
This commit was merged in pull request #4.
This commit is contained in:
112
docs/features/dast.md
Normal file
112
docs/features/dast.md
Normal file
@@ -0,0 +1,112 @@
|
||||
# DAST Scanning
|
||||
|
||||
DAST (Dynamic Application Security Testing) performs black-box security testing against live web applications and APIs. Unlike SAST which analyzes source code, DAST tests running applications by sending crafted requests and analyzing responses.
|
||||
|
||||
## DAST Overview
|
||||
|
||||
Navigate to **DAST** in the sidebar to see the overview page with:
|
||||
|
||||
- Total DAST scans performed
|
||||
- Total DAST findings discovered
|
||||
- Number of active targets
|
||||
- Recent scan run history with status, phase, and finding counts
|
||||
|
||||
## Managing Targets
|
||||
|
||||
Navigate to **DAST > Targets** to configure applications to test.
|
||||
|
||||
### Adding a Target
|
||||
|
||||
1. Enter a **target name** (descriptive label)
|
||||
2. Enter the **base URL** (e.g. `https://staging.example.com`)
|
||||
3. Click **Add Target**
|
||||
|
||||
### Target Configuration
|
||||
|
||||
Each target supports these settings:
|
||||
|
||||
| Setting | Description | Default |
|
||||
|---------|-------------|---------|
|
||||
| **Target Type** | WebApp, REST API, or GraphQL | WebApp |
|
||||
| **Max Crawl Depth** | How many link levels to follow | 5 |
|
||||
| **Rate Limit** | Maximum requests per second | 10 |
|
||||
| **Destructive Tests** | Allow DELETE/PUT requests | No |
|
||||
| **Excluded Paths** | URL paths to skip during testing | — |
|
||||
|
||||
### Authentication
|
||||
|
||||
DAST supports authenticated scanning with multiple methods:
|
||||
|
||||
| Method | Configuration |
|
||||
|--------|--------------|
|
||||
| **None** | No authentication |
|
||||
| **Basic** | Username and password (HTTP Basic Auth) |
|
||||
| **Bearer** | Bearer token (Authorization header) |
|
||||
| **Cookie** | Session cookie value |
|
||||
| **Form** | Login URL, username field, password field, and credentials |
|
||||
|
||||
::: warning
|
||||
Authenticated scans access more of the application surface. Only test applications you own or have explicit authorization to test.
|
||||
:::
|
||||
|
||||
## Running a DAST Scan
|
||||
|
||||
Click the **Scan** button on any target row. The scan runs through these phases:
|
||||
|
||||
1. **Crawl** — Discovers pages, forms, and API endpoints by following links and analyzing JavaScript
|
||||
2. **Test** — Sends attack payloads to discovered parameters
|
||||
3. **Report** — Collects results and generates findings
|
||||
|
||||
The scan uses a headless Chromium browser (the `chromium` service in Docker Compose) for JavaScript rendering during crawling.
|
||||
|
||||
## DAST Scan Agents
|
||||
|
||||
The scanner includes specialized testing agents:
|
||||
|
||||
### API Fuzzer
|
||||
Tests API endpoints with malformed inputs, boundary values, and injection payloads.
|
||||
|
||||
### XSS Scanner
|
||||
Detects Cross-Site Scripting vulnerabilities by injecting script payloads into form fields, URL parameters, and headers.
|
||||
|
||||
### SSRF Scanner
|
||||
Tests for Server-Side Request Forgery by injecting internal URLs and cloud metadata endpoints into parameters.
|
||||
|
||||
### Auth Bypass Scanner
|
||||
Tests for authentication and authorization bypass by manipulating tokens, sessions, and access control headers.
|
||||
|
||||
## DAST Findings
|
||||
|
||||
Navigate to **DAST > Findings** to see all discovered vulnerabilities.
|
||||
|
||||
### Finding List
|
||||
|
||||
Each finding shows:
|
||||
|
||||
| Column | Description |
|
||||
|--------|-------------|
|
||||
| Severity | Critical, High, Medium, or Low |
|
||||
| Type | Vulnerability category (SQL Injection, XSS, SSRF, etc.) |
|
||||
| Title | Description of the vulnerability |
|
||||
| Endpoint | The HTTP path that is vulnerable |
|
||||
| Method | HTTP method (GET, POST, PUT, DELETE) |
|
||||
| Exploitable | Whether the vulnerability was confirmed exploitable |
|
||||
|
||||
### Finding Detail
|
||||
|
||||
Click a finding to see full details:
|
||||
|
||||
- **Vulnerability type** and CWE identifier
|
||||
- **Endpoint URL** and HTTP method
|
||||
- **Parameter** that is vulnerable
|
||||
- **Exploitability** — Confirmed or Unconfirmed
|
||||
- **Description** — What the vulnerability is and why it matters
|
||||
- **Remediation** — How to fix the issue
|
||||
- **Evidence** — One or more request/response pairs showing:
|
||||
- The crafted HTTP request (method, URL, headers)
|
||||
- The payload that triggered the vulnerability
|
||||
- The HTTP response status and relevant snippet
|
||||
|
||||
::: tip
|
||||
Findings marked as **Confirmed** exploitable were verified by the scanner with a successful attack. **Unconfirmed** findings show suspicious behavior that may indicate a vulnerability but could not be fully exploited.
|
||||
:::
|
||||
Reference in New Issue
Block a user