DAST Tooling Standard

Priority: P1 (OPERATIONAL)

Always-Apply Rules

• No Scanning Production: Never run DAST tools against live production environments. Use local or staging replicas only.
• No Uncapped Scans: Always set max-depth or max-duration to avoid infinite loops on dynamic routes.
• No Anonymous Probing: Use authenticated headers (Authorization) to test protected surfaces, not just public ones.

1. Automated DAST Tools

Follow implementation guide for command-line setup.

• Nuclei: Best for fast, template-based CVE/Misconfiguration scanning.
• ZAP-CLI: Best for deep spidering and web vulnerability scanning (SQLi, XSS, etc.).
• Nikto: Quick scan for insecure server configurations and outdated software.

2. Adversarial curl Probing (Manual)

When tools are unavailable, use the AI to generate targeted curl probes:

• Bypassing Guards: Probe protected routes with manipulated headers (X-Forwarded-For, X-Custom-Auth).
• Data Leakage: Request /metrics, /health, or .git directories to find exposed metadata.
• Parameter Tampering: Modify payload types (String -> Object) or inject large payloads to test limits.

Scoring Impact

Anti-Patterns

• No relying solely on static analysis: Pentesting MUST include dynamic execution feedback.
• No ignoring non-web protocols: Check Docker ports, SSH banners, and internal gRPC/RMQ listeners.

References

• DAST Tooling Implementation
• OWASP Dynamic Scanning Guide