DAST Scanner Configuration

The DAST Scanner is configured through YAML scan profiles that control how the scanner behaves for different types of applications.

Profiles can be selected with the --profile option:

xy-dast scan -u https://example.com --profile spa -o report.json

Profile Locations

Custom profiles can be placed in any of these directories:

Profile Schema

A profile is a YAML file with the following sections:

# Identity
name: my-profile
description: "Description of the profile"
extends: openapi  # Optional: inherit from a base profile

# Scope - URL patterns to include/exclude
scope:
  includePatterns:
    - "https://api.example.com/v2/.*"
  excludePatterns:
    - ".*logout.*"
    - ".*\\.js$"
    - ".*\\.css$"

# Authentication
authentication:
  method: BEARER            # NONE, FORM, BEARER, HEADER, BASIC, JSON, SCRIPT
  loginUrl: ""              # Login form URL (for FORM method)
  usernameField: "username" # Form field name for username
  passwordField: "password" # Form field name for password
  headerName: "Authorization"  # Header name (for BEARER/HEADER)
  headerValue: "${env:API_TOKEN}"  # Header value
  headerPrefix: "Bearer "   # Header value prefix

# Users (for form-based authentication)
users:
  - name: "test-user"
    username: "admin"
    password: "admin123"
    default: true

# Session management
session:
  method: COOKIE  # COOKIE, HEADER, or SCRIPT

# Technology context (helps optimize scanning)
technology:
  language: javascript
  database: mysql
  framework: express
  include:
    - "Db / MySQL"
    - "Language / JavaScript"

# Spider configuration
spider:
  duration: 10   # Maximum duration in minutes
  depth: 5       # Maximum crawl depth
  children: 10   # Maximum children per node

# AJAX Spider configuration (for SPAs)
ajaxSpider:
  duration: 15   # Maximum duration in minutes
  depth: 5       # Maximum crawl depth
  browsers: 4    # Number of browser instances
  skip: false    # Set to true to disable AJAX spider

# Active scan configuration
activeScan:
  duration: 20       # Maximum duration in minutes
  ruleDuration: 5    # Maximum duration per rule in minutes
  policy: ""         # Scan policy (e.g., "API-Scan")
  strength: "MEDIUM" # Attack strength: LOW, MEDIUM, HIGH, INSANE
  threshold: "MEDIUM" # Alert threshold: LOW, MEDIUM, HIGH
  rules: []          # Per-rule overrides (see below)

# Passive scan configuration
passiveScan:
  waitDuration: 5  # Maximum wait time in minutes

# Deep crawl (headless browser-based pre-scan crawling)
deepCrawl:
  enabled: false    # Enable deep crawl before the scan
  depth: 3          # Maximum crawl depth
  duration: "5m"    # Crawl timeout (accepts: 30s, 5m, 1h)

# Vulnerability check (template-based CVE/misconfiguration detection)
vulnCheck:
  enabled: false    # Enable post-scan vulnerability check
  severities:       # Severity filter
    - critical
    - high
    - medium
  excludeTags:      # Template tags to exclude (default: dos, fuzz)
    - dos
    - fuzz
  rateLimit: 50     # Requests per second
  timeout: "15m"    # Scan timeout
  # templates:      # Advanced: override template directories. The defaults
  #   - ...         # cover CVEs, exposures, misconfigurations, and known
  #                 # vulnerabilities and rarely need to be customised.

# Client certificate (mTLS) — optional
# Equivalent to --client-cert / --client-cert-password on the CLI.
# Orthogonal to other authentication methods (combine as needed).
clientCertificate:
  path: /path/to/client.p12        # PKCS#12 (.p12 / .pfx) certificate
  password: "${env:CERT_PASSWORD}" # Read from env to keep secrets out of YAML

# Result filtering
filtering:
  excludeRules:       # Rule IDs to exclude from results
    - "10094"
  riskThreshold: ""   # Minimum risk: INFO, LOW, MEDIUM, HIGH

Profile Inheritance

Use extends to inherit settings from a built-in or custom profile. Only the fields you specify are overridden; all other settings come from the parent.

name: my-api
description: "Custom API profile with stricter scanning"
extends: openapi

activeScan:
  duration: 30
  strength: HIGH

This profile inherits all settings from openapi (minimal spidering, no AJAX spider, API-Scan policy) but overrides the active scan duration and strength.

Authentication Configuration

authentication:
  method: FORM
  loginUrl: "https://app.example.com/login"
  usernameField: "username"
  passwordField: "password"

users:
  - name: "test-user"
    username: "admin"
    password: "${env:APP_PASSWORD}"
    default: true

BEARER - Bearer Token

authentication:
  method: BEARER
  headerName: "Authorization"
  headerValue: "${env:API_TOKEN}"
  headerPrefix: "Bearer "

HEADER - Custom Header

authentication:
  method: HEADER
  headerName: "X-API-Key"
  headerValue: "${env:API_KEY}"
  headerPrefix: ""

BASIC - HTTP Basic Authentication

authentication:
  method: BASIC

users:
  - name: "test-user"
    username: "admin"
    password: "${env:BASIC_PASSWORD}"
    default: true

Credentials are Base64-encoded and sent as Authorization: Basic <encoded> on every request (RFC 7617).

Environment variables can be referenced with ${env:VARNAME} syntax anywhere in profile values. This is the recommended approach for sensitive values like tokens and passwords.

Authentication Methods Reference

Method

Description

Required Fields

NONE

No authentication

FORM

HTML form login with username/password

loginUrl, usernameField, passwordField, users

BEARER

Bearer token in Authorization header

headerName, headerValue, headerPrefix

HEADER

Custom header authentication

headerName, headerValue

BASIC

HTTP Basic authentication (RFC 7617)

users (username and password)

JSON

JSON body authentication

loginUrl, request body fields

SCRIPT

Script-based authentication

Custom authentication script

Per-Rule Policy Overrides

The activeScan.rules list allows you to override threshold and strength for individual scan rules, or disable rules entirely:

activeScan:
  duration: 20
  strength: MEDIUM
  rules:
    # Enable specific rules with higher strength
    - id: 40018
      name: "SQL Injection"
      threshold: "Medium"
      strength: "High"
    - id: 40012
      name: "Cross Site Scripting (Reflected)"
      threshold: "Medium"
      strength: "High"
    # Disable a rule
    - id: 30001
      name: "Buffer Overflow"
      threshold: "Off"

Setting threshold: "Off" disables a rule entirely. Valid threshold values are Off, Low, Medium, and High. Valid strength values are Low, Medium, High, and Insane.

Example: OWASP Juice Shop Profile

This complete example shows a custom profile for scanning the OWASP Juice Shop application:

name: example-juiceshop
description: "Profile for OWASP Juice Shop application"
extends: spa

scope:
  includePatterns:
    - "http://localhost:3000/.*"
  excludePatterns:
    - ".*\\.js$"
    - ".*\\.css$"
    - ".*\\.png$"
    - ".*socket\\.io.*"
    - ".*logout.*"

technology:
  language: javascript
  database: mysql
  framework: express
  include:
    - "Db / MySQL"
    - "Language / JavaScript"

ajaxSpider:
  duration: 10
  depth: 8
  browsers: 3
  skip: false

activeScan:
  duration: 20
  ruleDuration: 5
  strength: "HIGH"
  threshold: "MEDIUM"
  rules:
    - id: 40018
      name: "SQL Injection"
      threshold: "Medium"
      strength: "High"
    - id: 40012
      name: "Cross Site Scripting (Reflected)"
      threshold: "Medium"
      strength: "High"
    - id: 40014
      name: "Cross Site Scripting (Persistent)"
      threshold: "Medium"
      strength: "High"
    - id: 40026
      name: "Cross Site Scripting (DOM Based)"
      threshold: "Medium"
      strength: "High"
    - id: 6
      name: "Path Traversal"
      threshold: "Medium"
      strength: "High"
    - id: 90023
      name: "XML External Entity Attack"
      threshold: "Medium"
      strength: "High"
    # Disable low-value rules for this app
    - id: 30001
      name: "Buffer Overflow"
      threshold: "Off"
    - id: 40003
      name: "CRLF Injection"
      threshold: "Off"

Run with:

xy-dast scan -u http://localhost:3000 --profile example-juiceshop -o report.json

Profile Schema Reference

Section

Fields

Description

name, description

string

Profile identity

extends

string

Parent profile to inherit from

scope

includePatterns, excludePatterns

Regex lists for URL filtering

authentication

method, loginUrl, usernameField, passwordField, headerName, headerValue, headerPrefix

Authentication settings

users

List of {name, username, password, default}

Credentials for form-based auth

session

method

Session management: COOKIE, HEADER, or SCRIPT

technology

language, database, framework, include

Technology context for scan optimization

spider

duration, depth, children

Traditional spider settings

ajaxSpider

duration, depth, browsers, skip

AJAX spider settings (for SPAs)

activeScan

duration, ruleDuration, policy, strength, threshold, rules

Active scan settings

passiveScan

waitDuration

Passive scan wait time

deepCrawl

enabled, depth, duration

Pre-scan deep crawling

vulnCheck

enabled, templates, severities, excludeTags, rateLimit, timeout

Post-scan vulnerability checking

clientCertificate

path, password

PKCS#12 client certificate for mTLS targets (orthogonal to other auth methods)

filtering

excludeRules, riskThreshold

Result filtering

PreviousDAST Scanner NextDAST Detectors

Last updated 9 days ago

hashtagDAST Scanner Configuration

hashtagProfile Locations

hashtagProfile Schema

hashtagProfile Inheritance

hashtagAuthentication Configuration

hashtagFORM - HTML Form Login

hashtagBEARER - Bearer Token

hashtagHEADER - Custom Header

hashtagBASIC - HTTP Basic Authentication

hashtagAuthentication Methods Reference

hashtagPer-Rule Policy Overrides

hashtagExample: OWASP Juice Shop Profile

hashtagProfile Schema Reference