Run dynamic application security testing (DAST) on
With fAST Dynamic, you can perform rapid, self-service DAST scans of web applications and APIs. Issues found in DAST scans can be viewed alongside SAST and SCA issues, and triaged according to their severity.
About DAST
Prerequisites
Before you begin, make sure that:
- Your organization has a subscription with a DAST entitlement.
- Your subscription has at least one available DAST project.
- An Organization Admin or Organization Application Manager has either:
- Created an application that uses your DAST subscription.
Note: See Create an application for more information.
- Assigned your DAST subscription to a preexisting application.
Note: See Assign subscriptions to applications for more information.
- Created an application that uses your DAST subscription.
- has network access to the application or API you wish to scan. To run DAST
tests, communicates with your web-accessible applications or APIs using IPs
that vary between instances.
Table 1. fAST Dynamic (DAST) IPs instance IPs (outbound) America, production - 192.231.134.0/24
America, POC European Union, production - 162.244.5.0/24
- You have permissions to create and manage projects.
Note: See Roles and permissions for more information.
About active attacks
If you select the Perform Active Attacks checkbox when creating a DAST project, fAST Dynamic will simulate real-world attacks by sending various inputs and then observing the application's or API's behavior.
Create a DAST project
- Web Applications
- APIs
A target is identified by its Entry Point URL. A separate DAST profile is needed for each target you want to scan. A single target can be used for testing a web application or an API, but not both.
Create a DAST project for a web application target
Create a DAST project for an API target
Test a DAST project
Follow these steps to run a DAST test from the user interface:
Work with DAST issues
Issues captured in DAST tests are managed like SAST and SCA issues. You can:
- Triage DAST issues (and manually apply fix-by dates). See Ways to triage issues in.
- Assign issue policies to DAST projects to automate actions when issues are captured in tests. See Issue policies.
- Export DAST issues to CSV or JSON. See How to export issues to CSV or JSON.