Skip to main content
availability

This integration is configured through the Invicti ASPM product.

DAST overview

What is DAST?

Dynamic Application Security Testing (DAST) identifies security vulnerabilities in running web applications, web services, and APIs. It operates as a black-box scanner, testing applications from the outside without requiring access to source code, making it technology-agnostic regardless of the programming language, framework, or platform used.

note

Invicti AppSec Core includes a preconfigured Invicti SCA scanner that is automatically activated with your package. The integrations on this page are for teams using Invicti ASPM who want to connect their own SCA tools instead. See AppSec Core scanners overview for details on the built-in scanner.

How it works

DAST scanners typically operate in four stages:

1. Crawling The scanner maps the attack surface of the target application by behaving like a real user — visiting links, clicking buttons, submitting forms, and parsing API definitions (WSDL, WADL, OpenAPI/Swagger) to build a list of all potential attack vectors.

2. Attacking The scanner sends attack payloads to each discovered input point and analyzes responses for vulnerability patterns. This involves detection, confirmation, and — in more advanced tools — proof generation that safely exploits confirmed vulnerabilities in a read-only manner.

3. Recrawling The scanner revisits the application after the attacking stage, as new pages or states may have been uncovered during testing. This step is critical for detecting stored XSS and second-order vulnerabilities.

4. Late confirmation Handles time-sensitive vulnerabilities such as Blind SQL Injection (which requires delayed responses) and out-of-band vulnerabilities.

What it can discover

DAST detects vulnerabilities across the following categories:

CategoryExamples
InjectionSQL Injection, NoSQL Injection, Command Injection, LDAP Injection, XXE Injection, Server-Side Template Injection
Cross-Site Scripting (XSS)Reflected XSS, Stored XSS, DOM-based XSS
Remote code executionRCE, Local File Inclusion, Remote File Inclusion, Directory Traversal
Server-Side Request ForgerySSRF
Authentication and sessionAuthentication flaws, Session fixation, Cookieless session state
Security misconfigurationsDebug modes enabled, Mixed content over HTTPS, Unsafe CSP directives, Version disclosure
Known vulnerabilitiesOutdated libraries, Log4Shell, and other CVEs in third-party components

DAST integrations support reporting against OWASP Top Ten 2021 and OWASP API Security Top Ten 2023.

Supported DAST and API scanners

The following DAST and API integrations are available through Invicti ASPM:

ScannerTypeAuthentication
Invicti EnterpriseConnectionAPI token
Invicti PlatformConnectionAPI token
Burp SuiteConnectionAPI token
Burp Suite EnterpriseConnectionAPI token
Acunetix 360ConnectionAPI token
Acunetix PremiumConnectionAPI token
HCL AppScan EnterpriseConnectionBasic auth
HCL AppScan StandardConnectionBasic auth
Fortify WebInspectConnectionBasic auth
Fortify on Demand DASTConnectionBasic auth
Qualys WASConnectionAPI token
Rapid7 InsightAppSecConnectionAPI token
Tenable.io WASConnectionAPI token
Veracode DASTConnectionAPI ID + key
AppSpider ProConnectionBasic auth
Salt SecurityConnectionAPI token
AktoConnectionAPI token
NucleiDocker
OWASP ZAPDocker
OWASP ZAP HeadlessDocker

Choosing a DAST scanner

If you need…Consider
Enterprise-grade DAST with proof-based scanningInvicti Enterprise, Invicti Platform
Manual + automated hybrid testingBurp Suite, Burp Suite Enterprise
SaaS-only, no infrastructureAcunetix 360, Fortify on Demand, Rapid7 InsightAppSec, Veracode DAST
Open-source / no license costOWASP ZAP, Nuclei
API-first testingAkto, Salt Security
VM-based enterprise deploymentsHCL AppScan Enterprise, HCL AppScan Standard, Fortify WebInspect

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?