ASP.NET Security Consultant

I'm an author, speaker, and generally a the-way-we've-always-done-it-sucks security guy who specializes in web technologies and ASP.NET.

I'm a bit of a health nut too, having lost 50 pounds in 2019 and 2020. Check out my blog for weight loss tips!

Search blogs:
All | Tech | Health

What is DAST/Active Scanning?

Published on: 2019-10-15

Image by OpenClipart-Vectors from Pixabay

If you're new to security scans, you may be unsure about what a Dynamic Application Security Test tool (also known as "active" or "black-box" scanning) does or how it works. If this is you, read on!

How DAST scanners work

DAST scanners, regardless of whether they're based in the cloud or are installed in your environment, generally follow the same process:

  1. Try to log into your website using credentials you provided (if you provided any)
  2. Crawl your website, following links, submitting forms, etc., in an attempt to find all pages
  3. Analyze results for obvious vulnerabilities like missing headers or missing CSRF tokens (aka passive scanning)
  4. Submit semi-malicious input in an attempt to exploit vulnerabilities, such as submitting <script>alert(1)</script> to look for XSS (Cross-Site Scripting) attacks or ' OR 1=1 --  for SQL Injection attacks
  5. Analyze the results and return them to you in some format

What you should expect scanners to find

Most scanners publish the list of modules that they include in their scans (and many allow you to include or exclude modules in their configuration) so you can see what they say they look for. Unfortunately, my experience is that just because a scanner says that it looks for something doesn't mean it's effective at doing so. Some scanners check for the most straightforward cases of a particular vulnerability if it bothers looking for it at all. Most DAST scanners are good at finding some things, though. Here's a list of some vulnerabilities that are likely to be found by most DAST scanners I've used:

  • Straightforward XSS or SQL Injection attacks
  • Missing security-related headers
  • Simple and obvious backdoors (such as using admin/password as credentials for your administrator account)
  • Operating system and file path vulnerabilities
  • Unprotected redirection to other sites
  • Exposed backup files or passwords
  • Missing or misconfigured SSL certificates

Most scanners will also report items that should be looked at as "findings" despite the fact that no verifiable security issue exist. Common ones include:

  • Presence of file upload functionality
  • Presence of potential privacy issues, such as exposed email addresses
  • Importing third-party script or CSS files

Better scanners will find a wider range of issues and are better at finding issues while reducing false positives, but still generally follow this pattern.

What you should expect the scanners to miss

Scanners that are built to scan a wide variety of websites in several different languages are not going to be able to find problems with your application-specific logic. If your file upload functionality has a particular issue related to the processing of its contents, it's unlikely that your scanner will find the issue. The same thing can be said for protecting assets that are accessible to a subset of users or rare functionality, such as an image generator.

Finally, it's worth pointing out that since these scanners don't have access to your source code, it is impossible for them to find security issues that cannot be found from the website alone. Just a few of these vulnerabilities include:

  • Cryptography issues such as poorly-implemented algorithms, use of insecure algorithms, or insecure storage of cryptographic keys
  • Inadequate logging and monitoring
  • Use of code components with known vulnerabilities

To find these issues, you need a Static Application Security Test (SAST) scan, a Software Component Analysis (SCA) scan, and a manual penetration test.

Differences between scanners

While most scanners tend to look for the same types of things, there are several differences between scanners that are worth noting:

  • Support for JavaScript frameworks can vary widely from scanner to scanner. If you have a SPA (Single-Page Application) website, you may have difficulties getting a decent scan from some scanners.
  • Authentication support can vary from scanner to scanner. Some scanners only support username and password for authentication, some scanners are highly configurable, and some scanners say that they're highly configurable but most methods don't work. Look for scanners that allow you to script logins.
  • Some scanners explicitly try to minimize false positives with the goal of making sure you're not wasting your time on mistakes by the scanner. But in my experience, scanners that minimize false positives have an unacceptably high number of false negatives. Most scanners have some flexibility here — allowing you to do a fast scan when needed, but also allowing a detailed scan when you have time.
  • Generally, free scanners can find vulnerabilities but are not great at reporting and managing findings. If you’re looking for a way to manage your findings, you need to either purchase an expensive scanner or build something yourself.

Is there any risk in running these scanners against a website?

It is worth noting that while there is minimal risk in running these scanners, there is more than no risk. Please read our article on Getting started with DAST/Active scanning to learn how to mitigate these risks.

Further reading

Getting started with DAST/Active scanning

Why you should use multiple scanners

Why running automated scans isn't enough