DAST Risks

The Risks (DAST) page can be accessed by selecting the DAST option in the Risks tab. This tab offers an in-depth overview of all DAST security issues, clearly presented for ease of assessment.

By default, this page will display all the DAST issues, regardless of the tool that found the issues (Xygeni DAST Scanner or any other 3rd party tool such as OWASP ZAP or Acunetix).

If you click on More filter fields, you can find the Tools filter where you can select a tool and only those issues reported by the selected tool will be displayed.

Vulnerability Details

Each DAST vulnerability includes the following information:

• Kind: The vulnerability type (e.g., SQL Injection, Cross-Site Scripting).

• Severity: The risk level (critical, high, low, or info).

• Confidence: How confident the scanner is in the finding (low, medium, high, or highest).

• URL: The affected endpoint.

• Method: The HTTP method used (GET, POST, etc.).

• Parameter: The vulnerable parameter name.

• Evidence: The attack payload or proof string.

• CWE: The associated Common Weakness Enumeration identifier.

• Compliance mappings: Where applicable, findings carry the matching NIST 800-53, SANS Top 25, and PCI DSS controls so DAST results can be traced directly to compliance requirements.

• HTTP Request/Response: Full request and response details for reproducing the issue (captured by the active/passive scanner and by the vulnerability check, when available).

• Potential PoC: A best-effort proof-of-concept for the finding, including a curl command and an expect block (status, bodyContains, bodyRegex, headerContains) that describes how to recognise the vulnerable response. Each PoC carries a confidence score: high for deterministic matchers (vuln-check templates) and reflective findings where the evidence appears in the response body, or low for behavioural detections (timing, blind injection, auth bypass) — in the latter case the notes field explains the limitation.

Severity Levels

DAST findings are mapped to four severity levels: