Fine-tune a DAST profile
scan-settings.json
file and upload it to the web UI. Configuration options are available for the scan engine (for example, excluded URLs, attack depth, and crawl settings) and the supported authentication methods (Forms, SAML, and Selenium).
After you Create a DAST project, follow these steps to customize the project's DAST profile:
Advanced DAST settings
Setting | Description |
---|---|
useSmartSetting |
When Smart Settings is enabled, fAST Dynamic crawls a limited section of the target web application to automatically detect several characteristics important to dynamic application security testing. These include (but are not limited to):
Based on this data, the scan engine defines a set of optimal scan settings and applies them to the Default: Note: Be aware that enabling Smart Settings will override some pre-existing scan settings, if you have modified these in the
scan-settings.json file. |
pageReadyConfig |
Configuration for "page readiness" heuristics; that is, how the scan engine determines if a page has finished loading in a browser and is ready for interaction.
Default: The |
authSettings |
Configuration for authentication.
Default: Note: See Authentication settings (authSettings) for more information.
|
scanTimeout |
Maximum length of time before an incomplete scan times out. At the end of this period, the scanner will publish the partial results of the scan.
Default: |
includedPaths |
Configuration for URL paths to include in scans of the target web application.
If set, only URL paths matching the specified values are included in scans. Enter an array of regular expressions, for example:
Default: N/A |
excludedUrls |
Configuration for URL paths to exclude from scans of the target web application.
If found on a URL path, the given URLs will be excluded from scans, including active attacks. Enter an array of regular expressions, for example:
Default: |
excludedAttackUrls |
Configuration for URL paths to exclude from active attacks of the target web application.
Only applies if Perform Active Attacks is selected on the DAST project page. Default: |
excludedParameters |
An array of values where any matching parameter names (for example, query parameters, form fields, or headers) will not be attacked.
Only applies if Perform Active Attacks is selected on the DAST project page. Default: |
excludedStatusCodes |
A response with a matching status code will not be attacked.
Only applies if Perform Active Attacks is selected on the DAST project page. Default: |
excludedHosts |
List of hosts to exclude from crawling and attacking. The scan engine will never send a request to any URL on these hosts, even through the browser.
A list of regular expressions. Note: You might want to add internal services to the default list of excluded hosts, for example, application performance monitoring (APM) tools, ad servers, etc.
Default: See |
customHeaders |
Extra headers to add to all requests from the scan engine.
Default: |
customCookies |
Extra cookies to add to all requests from the scan engine.
Default: |
activeCheckers |
List of active checkers to enable in scans of the target web application. Active checkers change the values of parameters in requests to detect vulnerabilities.
Reducing the amount of active checkers will speed up scans but reduce the depth and breadth of intrusive testing. Only applies if Perform Active Attacks is selected on the DAST project page. Default: See |
passiveCheckers |
List of passive checkers to enable in scans of the target web application. Passive checkers are non-intrusive. They detect vulnerabilities by passively observing web traffic.
Default: See |
crawler.formValues |
Default values used by the scan engine when crawling pages that contain forms. You can customize these form values with specific names and types of form fields used in the target web application.
Default: See |
Authentication settings (authSettings)
When you create a DAST project, you select an authentication method — either None, Forms, SAML, or Selenium — and configure basic settings through the web UI. Alternatively, you can configure authentication in the authSettings
section of the scan-settings.json
file. Here, you can configure the same options as in the UI and some additional advanced settings for each authentication method.
By default, no authentication method is set:
"authSettings": {
"loginType": "none",
"settings": {}
},
The loginType
field supports the following values: none
, simple
, SAML
, and selenium
. The structure of the settings object depends on this value, as described below.
Simple
Simple authentication is most appropriate for simple username/password login forms where both username and password fields are on a single page.
Setting | Optional/Required | Description |
---|---|---|
loginURL |
Required | URL of the target login page. |
formCSSSelector |
Optional | A CSS selector for the login form if there is more than one form on the login page. A CSS selector can be generated using your browser's developer tools by highlighting the <form> HTML element and choosing Copy Selector from the context menu. For example:
|
formValues |
Optional |
Specifies the input field names and values for interacting with the target login form. You can specify one or more of the following:
In this example, all three
|
headers |
Optional | An array of Name,Value pairs (note the capitalization). For example:
|
cookies |
Optional | An array of Cookie objects as Name,Value pairs. Other cookie properties, such as Path or Expires , are supported too. For example:
|
For example:
"authSettings": {
"loginType": "simple",
"settings": {
"loginURL": "https://example.com/login",
"formValues": {
"nameValues": {
"username": "myuser",
"password": "mypassword"
}
}
}
}
SAML
Authenticate via a SAML Identity Provider (IdP) to perform SSO to a target.
Setting | Optional/Required | Description |
---|---|---|
ssoLoginURL |
Required | The URL of SAML SSO login page. |
formValues |
Optional |
Specifies the input field names and values for interacting with the target login form. You can specify one or more of the following:
|
headers |
Optional | An array of Name,Value pairs (note the capitalization). For example:
|
cookies |
Optional | An array of Cookie objects as Name,Value pairs. Other cookie properties, such as Path or Expires , are supported too. For example:
|
For example:
"authSettings": {
"loginType": "SAML",
"settings": {
"ssoLoginURL": "https://mycompany.okta.com/app/12345",
"formValues": {
"nameValues": {
"username": "admin",
"password": "password123"
}
}
}
}
Selenium
Authenticate using a Selenium .side file, generated from the Selenium IDE browser extension.
Setting | Optional/Required | Description |
---|---|---|
sideFileContents |
Optional | The contents of the .side file, in JSON format. |
For example:
"authSettings": {
"loginType": "selenium",
"settings": {
"sideFileContents": {
"id": "629c40d4-ea61-42c3-9ce5-80e59da8a988",
"version": "2.0",
"name": "selenium-example",
"url": "https://example.com",
"tests": [...],
"suites": [...],
"urls": [
"https://example.com/"
],
"plugins": []
}
}
},