search
Ctrlk

Dynamic Application Security Testing (DAST)

hashtag
Overview

Xygeni's Dynamic Application Security Testing (DAST) tool performs automated security scanning of running web applications and REST APIs to uncover vulnerabilities that are exploitable at runtime. Unlike static analysis, DAST tests the application from the outside, simulating real-world attacks against live endpoints to identify security flaws before attackers do.

Through integration with CI/CD pipelines and the Xygeni platform, the DAST scanner delivers actionable findings with full HTTP request/response evidence, enabling security teams to quickly reproduce and remediate vulnerabilities in web-facing applications.

hashtag
Protect Web Applications and APIs from Runtime Vulnerabilities

Web applications and APIs are a primary attack surface. Even code that passes static analysis may expose vulnerabilities when deployed. Xygeni's DAST tool is built to detect:

  • Injection flaws (SQL injection, OS command injection, LDAP injection, XPath injection, and more).

  • Cross-Site Scripting (XSS) (reflected, stored, and DOM-based variants).

  • Authentication and session management issues (session fixation, weak credentials, CSRF).

  • Security misconfigurations (information disclosure, missing security headers, directory listing).

  • Access control weaknesses (path traversal, IDOR, privilege escalation).

  • Known vulnerability patterns (Log4Shell, Spring4Shell, Server-Side Template Injection).

  • Known CVEs and exposures — the --vuln-check option extends detection with template-based scanning against thousands of known CVEs and misconfigurations.

The scan pipeline consists of: optional deep crawl (headless JS-aware URL discovery) → spidering and active/passive scanning → optional vulnerability check (CVE and misconfiguration detection) → report generation and upload.

The scanner supports multiple application types: traditional server-rendered apps, JavaScript-heavy Single Page Applications (SPAs), and REST APIs with OpenAPI specifications.

hashtag
Supported Application Types

Type
Description

Traditional

Server-rendered web applications (PHP, JSP, ASP.NET, etc.)

SPA

JavaScript-heavy Single Page Applications (React, Angular, Vue)

REST API

REST APIs with OpenAPI/Swagger specification

GraphQL

GraphQL APIs with schema import or introspection

SOAP

SOAP web services with WSDL definition

For more information regarding DAST Security, refer to these sections:

PreviousSAST Scanner ConfigurationNextDAST User Interface Guide

Last updated