Security

DAST

Dynamic Application Security Testing — testing a running application by sending simulated attacks to find vulnerabilities that only manifest during execution.

What Is DAST?

Dynamic Application Security Testing (DAST) is a security testing methodology that analyzes a running application from the outside by sending crafted HTTP requests and examining the responses for signs of vulnerabilities. Unlike SAST, which reads source code, DAST treats the application as a black box — it has no knowledge of the internal code, architecture, or technology stack. Instead, it behaves like an attacker, probing endpoints, submitting malicious payloads, and observing how the application responds.

DAST tools crawl the application’s attack surface automatically, discovering pages, forms, API endpoints, and parameters. They then systematically test each input point with payloads designed to trigger common vulnerabilities: SQL injection, cross-site scripting, command injection, path traversal, authentication bypasses, and more. When the application responds in a way that indicates a vulnerability — reflecting a script payload back in the HTML, returning database errors from a SQL injection attempt, or disclosing sensitive information in error messages — the DAST tool flags the finding.

Because DAST tests the application in its deployed state, it catches issues that static analysis fundamentally cannot detect: misconfigured servers, exposed administrative interfaces, missing security headers, improper TLS settings, and runtime-specific authentication flaws. This makes DAST an essential complement to SAST in any comprehensive application security program.

How It Works

A DAST scan typically follows a three-phase process: crawling, attacking, and reporting. The crawler navigates the application like a user would — following links, submitting forms, clicking buttons — to build a map of all accessible endpoints and parameters. The attack engine then replays requests to each discovered input with modified payloads.

For example, a DAST tool testing for reflected XSS might submit a form with a script tag in the name field:

POST /search HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

query=<script>alert('xss')</script>

If the response contains the unescaped script tag, the tool flags a reflected XSS vulnerability:

<!-- Vulnerable response: input reflected without encoding -->
<p>No results found for <script>alert('xss')</script></p>

A secure application would encode the output:

<!-- Fixed response: HTML-encoded output -->
<p>No results found for &lt;script&gt;alert('xss')&lt;/script&gt;</p>

DAST integrates into CI/CD pipelines by scanning deployed staging environments. Here is an example using OWASP ZAP in a GitHub Actions workflow:

name: DAST Scan
on:
  workflow_run:
    workflows: ["Deploy to Staging"]
    types: [completed]

jobs:
  dast:
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.10.0
        with:
          target: "https://staging.example.com"
          rules_file_name: "zap-rules.tsv"
          cmd_options: "-a"

This configuration triggers a ZAP baseline scan automatically after each staging deployment, catching vulnerabilities before they reach production.

Why It Matters

DAST provides a realistic assessment of your application’s security posture because it tests the application exactly as an attacker would encounter it. While SAST can identify insecure code patterns, it cannot verify whether those patterns are actually exploitable in the deployed environment. DAST closes that gap by confirming whether vulnerabilities are reachable and exploitable through the application’s external interfaces.

DAST is also technology-agnostic. Because it operates over HTTP, it can test applications built in any language or framework — Java, Python, .NET, Node.js, or even legacy systems where source code may not be available. This makes it particularly valuable for organizations that acquire third-party applications or maintain legacy systems where SAST is impractical.

Many compliance standards and regulations require dynamic testing as part of the security assessment process. PCI DSS, for example, mandates regular vulnerability scanning of web-facing applications. DAST tools provide the automated, repeatable scanning that satisfies these requirements while producing the reports auditors expect.

DAST is especially effective at finding configuration-level vulnerabilities that exist entirely outside application code: missing Content-Security-Policy headers, permissive CORS settings, insecure cookie attributes, exposed server version strings, and directory listing enabled on web servers.

Best Practices

  • Scan staging environments that mirror production. DAST results are only meaningful if the test environment reflects the real deployment. Differences in configuration, data, or network topology between staging and production can cause both false positives and missed vulnerabilities.
  • Authenticate the scanner. An unauthenticated DAST scan only tests the login page and public endpoints. Configure the scanner with valid credentials so it can test the authenticated portions of the application where most business logic and sensitive data reside.
  • Combine DAST with SAST for full coverage. SAST catches code-level issues early; DAST catches runtime and configuration issues late. Together, they cover vulnerability classes that neither can find alone.
  • Schedule regular scans, not just per-release scans. Infrastructure changes, certificate expirations, and configuration drift can introduce vulnerabilities between releases. Weekly or nightly scans catch these issues promptly.
  • Tune scan policies to avoid disruption. DAST tools can generate significant traffic and may trigger rate limiters, WAFs, or even corrupt test data. Configure scan intensity and exclusion rules to avoid disrupting shared test environments.

Common Mistakes

  • Running DAST only against unauthenticated surfaces. Without authenticated scanning, DAST misses the majority of the application’s attack surface — user dashboards, admin panels, API endpoints behind authentication — where the most critical vulnerabilities tend to live.
  • Treating DAST as a replacement for SAST. DAST cannot see dead code, unreachable branches, or backend logic that does not manifest in HTTP responses. It complements SAST; it does not replace it.
  • Ignoring findings because they come from staging. A vulnerability in staging is a vulnerability in production unless the environments are fundamentally different. Treat staging DAST findings with the same urgency as production findings.
  • Scanning production without coordination. Running aggressive DAST scans against production can cause outages, trigger alerts, and corrupt data. Always coordinate with operations teams and use safe scan profiles when testing production systems.

Related Terms

SAST IAST RASP OWASP Top 10

Learn More

Tool Reviews

Related Articles

Free Newsletter

Stay ahead with AI dev tools

Weekly insights on AI code review, static analysis, and developer productivity. No spam, unsubscribe anytime.

Join developers getting weekly AI tool insights.