Understanding Dynamic (DAST) Scanning

An ASoC Dynamic (DAST) scan consists of two stages: Explore and Test. It is useful to understand the principal behind this, even though most of the scan process is seamless to the user, and no input is required until the scan is complete. The Explore stage can be run automatically as part of the automatic scan, or manually by the user, or a combination of both.

Explore stage

During the first stage, and starting from the URL you configure, AppScan crawls your application by simulating a web user clicking on links and completing form fields and builds up an understanding of the application's structure.

AppScan analyzes the responses to each Explore request, looking for any indication of a potential vulnerability. When AppScan receives a response that may indicate a security vulnerability, it creates one or more tests based on the response, as well as noting the validation rules needed to determine which results constitute vulnerability, and the level of security risk involved.

Before sending the site-specific tests that were created, AppScan sends several malformed requests to the application to determine the manner in which it generates error responses. This information is then used to increase the precision of AppScan's automatic test validation process.

In a typical scan, the Explore stage to discover the application runs automatically. However, you can configure ASoC to explore specific parts of the site, or to send requests in a specific order, using the "Explore with guidance" feature, see Explore with guidance.

Test stage

During the second stage, AppScan sends the thousands of custom test requests it created during the Explore stage. It records and analyzes the application's response to each test using the custom validation rules. These rules both identify security problems within the application and also rank their level of security risk.

Scan phases

In practice, the Test stage often reveals new links within a application, and more potential security risks. Therefore, after completing the first "phase" of Explore and Test, AppScan automatically begins a second "phase" to deal with the new information. If new links are discovered during the second phase, a third phase is run, and so on.

The discovery of new links in the Test stage, will cause a change in the number of expected tests shown during runtime.

After completing the configured number of scan phases scanning stops and the completed results are available to the user. The default number of phases is four. This cannot be changed in ASoC, but if a different number is configured in an uploaded configuration file (.dast.config), the configured number will be used.

Scan flow