DAST Essentials FAQs
This section provides answers to general questions you might have when first using DAST Essentials.
How do I scan my web application for security vulnerabilities?
Scanning your web applications is super easy with DAST Essentials. Just set up your target and get results within 2 minutes. See the quickstart.
How can I scan an API for security vulnerabilities?
With APIs playing a more critical role in modern technology, it is essential to scan web applications and APIs for security vulnerabilities. This enables you to scan the backend and communication for mobile apps, such as Apple or Android or HTTP-based IoT devices.
All you need to scan your API is a documentation file, such as Swagger v2 or OpenAPI v3 - JSON or YAML file. The documentation needs to be accessible to the security scanner. To achieve this, you can host the documentation somewhere or sending the documentation through the API when starting a scan. Instead of crawling your web application for attack vectors, DAST Essentials gets the attack vectors from your API documentation.
How do I test my single page application for security vulnerabilities?
Setting up a scan for your Single Page Application (SPA) is easy. You have to set up your target. After choosing Web Application for your Scan Target Type, select JavaScript Application. For best results, add authentication credentials to your scan. See the quickstart.
How do I prepare my application for a vulnerability scan?
For a vulnerability scan, you should set up your application in such a way that the scan does not interrupt your service, and you can go back to a working state in case of any issues during the scan:
- Ensure that you have permission to conduct a security scan against your application. Talk to all people concerned with the application, such as developers, product owners, or the infrastructure team.
- Inform the monitoring team about the security scan so that no real alert is fired when the security scan starts.
- When doing invasive security scans such as the DAST Essentials full scan scope, scan your application on a test or staging system instead of the production system.
- Do a backup before the vulnerability scan so that you can roll back the system to a working state if needed.
- Create a Test User for the vulnerability scan so that you separate the test data of the vulnerability scan and the other (test) data.
What login methods do vulnerability scanners support?
The vulnerability scanner supports several authentication methods:
- HTTP basic authentication
- Login form authentication
- Parameter authentication: HTTP headers, GET-parameter, and session cookies
How long does a vulnerability scan take?
The quick, non-invasive vulnerability scan takes 2-5 minutes. The total invasive vulnerability scan length depends on the size of your application size and the number of found attack vectors. Most of the scans are done in under 4 hours, but the scan might take longer if you have an extensive application.