About the DAST Essentials scanners
DAST Essentials can perform scans in two variants:
Quick scan
Runs only non-invasive tests for "live" production versions of your code. By default, it uses a single-page crawler, which is optimized for web applications written in languages such as Angular and React, Vue, or Jquery. For applications with multiple pages, such as those written in PHP or JSP, you can change to a multi-page scanner on the Configure target page.
Full scan
Runs all DAST Essentials scanners. Only recommended for test or developer systems, as security scanners can decrease performance or impact live data for productive systems. Several factors can increase the scan time, such as the scanners you run, network performance, the number of web pages or API endpoints, the amount of content on each page, and the target configuration. These scans can impact the performance of your live web application or API. To ensure that these resources run optimally, consider running a full scan in a staged environment.
You can change the selected scanners on the Configure target page. If the URL is protected by HTTP basic authentication using a .htaccess
file, on the Configure target page, you must add your username and password to the System Authentication section on the Authentication tab.
Scanners
- Server Version Fingerprinting
- Web Application Version Fingerprinting
- CVE Comparison of found issues
Transport Layer Security (TLS/SSL)
- Heartbleed
- ROBOT
- BREACH
- BEAST
- Old SSL/TLS Version
- SSL/TLS Cipher Order
- SSL/TLS Perfect Forward Secrecy
- SSL/TLS Session Resumption
- SSL/TLS secure algorithm
- SSL/TLS key size
- SSL/TLS trust chain
- SSL/TLS expiration date
- SSL/TLS revocation (CRL, OCSP)
- SSL/TLS OCSP stapling
Content-Security-Policy headers
- Boolean-based blind SQL Injection
- Time-based blind SQL Injection
- Error-based SQL Injection
- UNION query-based SQL Injection
- Stacked queries SQL Injection
- Out-of-band SQL Injection
- Command Injection
- File Inclusion
XML External Entity (XXE) Processing
- Reflected Cross-site scripting (XSS)
- Stored Cross-site scripting (XSS)
Cross-Site Request Forgery (CSRF) Deserialization
**Fuzzer
- Directory Fuzzer
- File Fuzzer