sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity
Files
3ec1456b0d6435d0747114644d6943796229e313
compliance-scanner-agent/docs/features/dast.md
Sharang Parnerkar 3ec1456b0d
All checks were successful
CI / Clippy (push) Successful in 4m56s
Details
CI / Security Audit (push) Successful in 1m48s
Details
CI / Tests (push) Successful in 5m36s
Details
CI / Deploy MCP (push) Has been skipped
Details
CI / Format (push) Successful in 6s
Details
CI / Detect Changes (push) Successful in 4s
Details
CI / Deploy Agent (push) Successful in 2s
Details
CI / Deploy Dashboard (push) Successful in 2s
Details
CI / Deploy Docs (push) Successful in 3s
Details
docs: rewrite user-facing documentation with screenshots (#11)
2026-03-11 15:26:00 +00:00

3.0 KiB
Raw Blame History

DAST Scanning

DAST (Dynamic Application Security Testing) performs black-box security testing against live web applications and APIs. Unlike SAST which analyzes source code, DAST tests running applications by sending crafted requests and analyzing responses for vulnerabilities.

DAST Overview

Navigate to DAST in the sidebar to see the overview page.

DAST overview with scan runs and finding counts

The overview shows:

  • Total DAST scans performed
  • Total DAST findings discovered
  • Number of active targets
  • Recent scan run history with status, phase, and finding counts

Managing Targets

Navigate to DAST > Targets to configure applications to test.

Adding a Target

  1. Enter a target name (descriptive label)
  2. Enter the base URL (e.g. https://staging.example.com)
  3. Click Add Target

Target Settings

Each target supports these settings:

Setting Description
Target Type WebApp, REST API, or GraphQL
Max Crawl Depth How many link levels to follow
Rate Limit Maximum requests per second
Destructive Tests Allow DELETE/PUT requests
Excluded Paths URL paths to skip during testing

Authentication

DAST supports authenticated scanning so it can test pages behind login:

Method Description
None No authentication
Basic HTTP Basic Auth with username and password
Bearer Bearer token in the Authorization header
Cookie Session cookie value
Form Login form with URL, field names, and credentials

::: warning Authenticated scans access more of the application surface. Only test applications you own or have explicit authorization to test. :::

Running a DAST Scan

Click the Scan button on any target row. The scan progresses through:

  1. Crawl -- discovers pages, forms, and API endpoints by following links and analyzing JavaScript
  2. Test -- sends attack payloads to discovered parameters
  3. Report -- collects results and generates findings

Viewing DAST Findings

Navigate to DAST > Findings to see all discovered vulnerabilities. Each finding shows:

Column Description
Severity Critical, High, Medium, or Low
Type Vulnerability category (SQL Injection, XSS, SSRF, etc.)
Title Description of the vulnerability
Endpoint The HTTP path that is vulnerable
Method HTTP method (GET, POST, PUT, DELETE)
Exploitable Whether the vulnerability was confirmed exploitable

Click a finding to see full details including the CWE identifier, vulnerable parameter, remediation guidance, and evidence showing the exact request/response pairs that triggered the finding.

::: tip Findings marked as Confirmed exploitable were verified with a successful attack payload. Unconfirmed findings show suspicious behavior that may indicate a vulnerability but could not be fully exploited. :::

Reference in New Issue View Git Blame Copy Permalink