DAST stands for Dynamic Application Security Testing. It is a “black-box” security testing methodology where an application is tested from the outside-in while it is running.
Unlike tools that look at the source code, DAST interacts with the live web application (or API) just as a hacker would—by sending malicious inputs and seeing how the system responds.
How It Works
-
Crawling: The tool “spiders” through the application to find every page, form, and API endpoint.
-
Attacking: It automatically injects payloads designed to trigger vulnerabilities like SQL Injection, Cross-Site Scripting (XSS), or Command Injection.
-
Analysis: It examines the server’s responses. If a certain input causes an error, a redirect, or an unexpected database leak, the tool flags it as a vulnerability.
Key Characteristics
-
Black-Box Testing: The tool has no knowledge of the underlying code, language, or database. It only sees what is publicly accessible.
-
Runtime Discovery: It finds issues that only appear when the app is running, such as authentication flaws, insecure session management, and server misconfigurations.
-
Language Agnostic: Because it interacts via HTTP/HTTPS, it doesn’t matter if your app is written in Java, Python, or Go; DAST works the same way.
DAST vs. SAST (Static Analysis)
In your cybersecurity studies, you’ll often see these two compared:
| Feature | DAST (Dynamic) | SAST (Static) |
|---|---|---|
| Viewpoint | Outside-In (Black-box) | Inside-Out (White-box) |
| State | Running application | Source code at rest |
| Timing | Late (Staging/Production) | Early (Development/Commit) |
| Finds | Runtime & Config errors | Logical & Coding errors |
Common DAST Tools
-
OWASP ZAP: A free, open-source tool (highly recommended for your Linux pentesting lab).
-
Burp Suite Professional: The industry standard for manual and automated web pentesting.
-
Acunetix / Invicti: Popular enterprise-grade scanners.