dast-scanning
SKILL.md
DAST Scanning
Test running applications for security vulnerabilities through dynamic analysis.
When to Use This Skill
Use this skill when:
- Testing deployed applications
- Performing automated security scans
- Finding runtime vulnerabilities
- Testing authentication flows
- Validating API security
Prerequisites
- Running application instance
- Network access to target
- Testing authorization
- Understanding of web security
Tool Overview
| Tool | Type | Best For |
|---|---|---|
| OWASP ZAP | OSS | Automated scanning, CI |
| Burp Suite | Commercial | Manual testing, advanced |
| Nikto | OSS | Web server scanning |
| Nuclei | OSS | Template-based scanning |
| Arachni | OSS | Comprehensive scanning |
OWASP ZAP
Docker Setup
# Run ZAP in daemon mode
docker run -d --name zap \
-p 8080:8080 \
-v $(pwd)/reports:/zap/reports \
ghcr.io/zaproxy/zaproxy:stable \
zap.sh -daemon -host 0.0.0.0 -port 8080 \
-config api.addrs.addr.name=.* \
-config api.addrs.addr.regex=true
Baseline Scan
# Quick baseline scan
docker run --rm -v $(pwd):/zap/wrk \
ghcr.io/zaproxy/zaproxy:stable \
zap-baseline.py -t https://target.example.com \
-r baseline-report.html
# With authentication
docker run --rm -v $(pwd):/zap/wrk \
ghcr.io/zaproxy/zaproxy:stable \
zap-baseline.py -t https://target.example.com \
-r report.html \
--auth-login-url https://target.example.com/login \
--auth-username user \
--auth-password pass
Full Scan
# Comprehensive scan
docker run --rm -v $(pwd):/zap/wrk \
ghcr.io/zaproxy/zaproxy:stable \
zap-full-scan.py -t https://target.example.com \
-r full-report.html \
-J full-report.json
API Scan
# OpenAPI specification scan
docker run --rm -v $(pwd):/zap/wrk \
ghcr.io/zaproxy/zaproxy:stable \
zap-api-scan.py -t https://target.example.com/openapi.json \
-f openapi \
-r api-report.html
ZAP Automation Framework
# zap-automation.yaml
env:
contexts:
- name: "Default Context"
urls:
- "https://target.example.com"
includePaths:
- "https://target.example.com/.*"
excludePaths:
- "https://target.example.com/logout.*"
authentication:
method: "form"
parameters:
loginUrl: "https://target.example.com/login"
loginRequestData: "username={%username%}&password={%password%}"
verification:
method: "response"
loggedInRegex: "\\QWelcome\\E"
users:
- name: "testuser"
credentials:
username: "test@example.com"
password: "password123"
jobs:
- type: spider
parameters:
context: "Default Context"
user: "testuser"
maxDuration: 10
- type: spiderAjax
parameters:
context: "Default Context"
user: "testuser"
maxDuration: 10
- type: passiveScan-wait
parameters:
maxDuration: 5
- type: activeScan
parameters:
context: "Default Context"
user: "testuser"
policy: "Default Policy"
- type: report
parameters:
template: "traditional-html"
reportDir: "/zap/reports"
reportFile: "zap-report"
# Run automation
docker run --rm -v $(pwd):/zap/wrk \
ghcr.io/zaproxy/zaproxy:stable \
zap.sh -cmd -autorun /zap/wrk/zap-automation.yaml
CI/CD Integration
GitHub Actions
name: DAST Scan
on:
workflow_dispatch:
schedule:
- cron: '0 2 * * *'
jobs:
dast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Start Application
run: |
docker-compose up -d
sleep 30 # Wait for app to be ready
- name: OWASP ZAP Scan
uses: zaproxy/action-full-scan@v0.8.0
with:
target: 'http://localhost:8080'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
- name: Upload Report
uses: actions/upload-artifact@v4
if: always()
with:
name: zap-report
path: report_html.html
GitLab CI
dast:
stage: security
image: ghcr.io/zaproxy/zaproxy:stable
variables:
TARGET_URL: $DAST_TARGET_URL
script:
- mkdir -p /zap/wrk/reports
- zap-baseline.py -t $TARGET_URL -r /zap/wrk/reports/zap-report.html -I
artifacts:
paths:
- reports/
expire_in: 1 week
rules:
- if: $CI_COMMIT_BRANCH == "main"
Burp Suite Automation
REST API Usage
import requests
class BurpScanner:
def __init__(self, api_url, api_key):
self.api_url = api_url
self.headers = {'Authorization': api_key}
def create_scan(self, target_url):
"""Create and start a new scan."""
payload = {
'scan_configurations': [
{'name': 'Crawl and Audit - Balanced'}
],
'scope': {
'include': [{'rule': target_url}]
},
'urls': [target_url]
}
response = requests.post(
f'{self.api_url}/v0.1/scan',
json=payload,
headers=self.headers
)
return response.headers.get('Location')
def get_scan_status(self, scan_id):
"""Get scan status."""
response = requests.get(
f'{self.api_url}/v0.1/scan/{scan_id}',
headers=self.headers
)
return response.json()
def get_issues(self, scan_id):
"""Get scan issues."""
response = requests.get(
f'{self.api_url}/v0.1/scan/{scan_id}/issues',
headers=self.headers
)
return response.json()
# Usage
scanner = BurpScanner('http://burp:1337', 'api-key')
scan_id = scanner.create_scan('https://target.example.com')
while True:
status = scanner.get_scan_status(scan_id)
if status['scan_status'] == 'succeeded':
break
time.sleep(30)
issues = scanner.get_issues(scan_id)
Nikto
Basic Scanning
# Install
apt-get install nikto
# Basic scan
nikto -h https://target.example.com
# With specific options
nikto -h https://target.example.com \
-ssl \
-Tuning 123bde \
-output nikto-report.html \
-Format html
# Scan specific ports
nikto -h target.example.com -p 80,443,8080
Common DAST Findings
OWASP Top 10
owasp_findings:
A01_Broken_Access_Control:
- IDOR vulnerabilities
- Missing function-level access control
- Privilege escalation
A02_Cryptographic_Failures:
- Sensitive data in URLs
- Missing HTTPS
- Weak ciphers
A03_Injection:
- SQL injection
- Command injection
- XSS
A05_Security_Misconfiguration:
- Default credentials
- Verbose error messages
- Missing security headers
A07_Auth_Failures:
- Weak passwords accepted
- Session fixation
- Missing MFA
Security Headers Check
# Check security headers
curl -I https://target.example.com | grep -i "x-\|content-security\|strict"
# Expected headers:
# X-Content-Type-Options: nosniff
# X-Frame-Options: DENY
# X-XSS-Protection: 1; mode=block
# Content-Security-Policy: default-src 'self'
# Strict-Transport-Security: max-age=31536000
Custom Test Cases
# Test authentication
tests:
- name: "Authentication Bypass"
steps:
- Access protected resource without auth
- Verify 401/403 response
- Access with valid auth
- Verify 200 response
- name: "Session Management"
steps:
- Login and capture session token
- Logout
- Attempt to use old session
- Verify session invalidated
- name: "Input Validation"
steps:
- Submit XSS payload in all inputs
- Submit SQL injection in all inputs
- Verify proper sanitization
Common Issues
Issue: False Positives
Problem: Scanner reports non-vulnerabilities Solution: Configure scan policy, review findings manually
Issue: Missing Authentication
Problem: Cannot scan authenticated areas Solution: Configure authentication context, use session tokens
Issue: Incomplete Coverage
Problem: Scanner misses endpoints Solution: Import API specs, improve spidering, use authenticated scanning
Best Practices
- Test in staging environment first
- Configure proper authentication
- Import API specifications for complete coverage
- Review findings before reporting
- Combine with manual testing
- Run regular scans (weekly minimum)
- Track findings over time
- Coordinate with development team
Related Skills
- sast-scanning - Static analysis
- penetration-testing - Manual testing
- waf-setup - WAF configuration
Weekly Installs
16
Repository
bagelhole/devop…t-skillsGitHub Stars
13
First Seen
Feb 4, 2026
Security Audits
Installed on
codex16
opencode16
github-copilot15
kimi-cli15
gemini-cli15
cursor15