Merge pull request #283 from OWASP/dast-tools

#282 General page on dast tools.

Author: sydseter

.wordlist.txt

@@ -5,6 +5,7 @@ CVE
 CWE
 Cavalcanti
 Customizable
+dast
 DockerHub
 EscapeAll
 Flaxman

_data/draft.yaml

@@ -163,8 +163,8 @@ docs:
 - title: '6.2 Tools'
   url: verification/tools
 
-- title: '6.2.1 Zed Attack Proxy'
-  url: verification/tools/zed_attack_proxy
+- title: '6.2.1 DAST'
+  url: verification/tools/dast
 
 - title: '6.2.2 Amass'
   url: verification/tools/amass

draft/02-toc.md

@@ -73,7 +73,7 @@ permalink:
 6.1.2 [MAS Testing Guide](#mas-testing-guide)  
 6.1.3 [Application Security Verification Standard](#application-security-verification-standard)  
 6.2 [Tools](#verification-tools)  
-6.2.1 [Zed Attack Proxy](#zed-attack-proxy)  
+6.2.1 [DAST](#dast)  
 6.2.2 [Amass](#amass)  
 6.2.3 [Offensive Web Testing Framework](#offensive-web-testing-framework)  
 6.2.4 [Nettacker](#nettacker)  

draft/04-foundations/02-secure-development.md

@@ -165,7 +165,6 @@ There are many OWASP tools and resources to help build security into the SDLC.
 * [Nettacker][net]
 * [Offensive Web Testing Framework][owtf] (OWTF)
 * [Web Security Testing Guide][wstg] (WSTG)
-* [Zed Attack Proxy][zap] (ZAP)
 
 #### OWASP training projects
 
@@ -237,6 +236,5 @@ then [submit an issue][issue0402] or [edit on GitHub][edit0402].
 [intstand]: https://owasp.org/www-project-integration-standards/
 [webgoat]: https://owasp.org/www-project-webgoat/
 [wstg]: https://owasp.org/www-project-web-security-testing-guide/
-[zap]: https://www.zaproxy.org/
 
 \newpage

draft/08-verification/00-toc.md

@@ -44,7 +44,7 @@ Sections:
 6.1.2 [MAS Testing Guide](#mas-testing-guide)  
 6.1.3 [Application Security Verification Standard](#application-security-verification-standard)  
 6.2 [Tools](#verification-tools)  
-6.2.1 [Zed Attack Proxy](#zed-attack-proxy)  
+6.2.1 [DAST](#dast)  
 6.2.2 [Amass](#amass)  
 6.2.3 [Offensive Web Testing Framework](#offensive-web-testing-framework)  
 6.2.4 [Nettacker](#nettacker)  

draft/08-verification/02-tools/00-toc.md

@@ -27,7 +27,7 @@ whereas manual security testing of high-risk components requires good knowledge
 
 Sections:
 
-6.2.1 [Zed Attack Proxy](#zed-attack-proxy)  
+6.2.1 [DAST](#dast)  
 6.2.2 [Amass](#amass)  
 6.2.3 [Offensive Web Testing Framework](#offensive-web-testing-framework)  
 6.2.4 [Nettacker](#nettacker)  

draft/08-verification/02-tools/01-dast.md

@@ -0,0 +1,73 @@
+---
+
+title: DAST
+layout: col-document
+tags: OWASP Developer Guide
+contributors: Jon Gadsden, Johan Sydseter
+document: OWASP Developer Guide
+order: 821
+permalink: /draft/verification/tools/dast/
+
+---
+
+{% include breadcrumb.html %}
+
+<style type="text/css">
+.image-right {
+  height: 180px;
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+  float: right;
+}
+</style>
+
+Dynamic application security testing (DAST) represents a non-functional testing process to identify security weaknesses and
+vulnerabilities in applications. The testing process can be carried out manually or be automated. Manual assessment of an
+application involves human intervention to identify security flaws which might slip from an automated tool. Usually
+business logic errors, race condition checks, and certain zero-day vulnerabilities can only be identified using manual
+assessments.
+
+### 6.2.1 DAST tools
+
+DAST tools are programs which communicates with a web application through the web front-end in order to identify potential
+security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test. Unlike static
+application security testing tools, DAST tools do not have access to the source code and therefore detect vulnerabilities
+by actually performing attacks.
+
+#### Different DAST tools
+
+The OWASP Community projects contains a [list of DAST tools][dast] can be used to conduct DAST. All of these tools have
+their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the
+[OWASP Benchmark][benchmark] project, which attempts to scientifically measure the effectiveness of all types of
+vulnerability detection tools, including DAST.
+
+#### Why use it?
+
+The big advantage of these types of tools are that they can scan year-round to be constantly searching for vulnerabilities.
+With new vulnerabilities being discovered regularly this allows companies to find and patch vulnerabilities before they
+can become exploited.
+
+#### Cons
+
+Because these tools does dynamic testing, it cannot cover 100% of the source code of the application and then, the
+application itself. The penetration tester should look at the coverage of the web application or of its attack surface to
+know if the tool was configured correctly or was able to understand the web application.
+
+#### References
+
+* [Dynamic application security testing][wikipedia]
+* [Vulnerability Scanning Tools][dast]
+
+----
+
+The OWASP Developer Guide is a community effort; if there is something that needs changing
+then [submit an issue][issue080201] or [edit on GitHub][edit080201].
+
+[benchmark]: https://owasp.org/www-project-benchmark/
+[dast]: https://owasp.org/www-community/Vulnerability_Scanning_Tools
+[edit080201]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/08-verification/02-tools/01-dast.md
+[issue080201]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2008-verification/02-tools/01-dast
+[wikipedia]: https://en.wikipedia.org/wiki/Dynamic_application_security_testing
+
+\newpage

draft/08-verification/02-tools/01-zap.md

@@ -38,7 +38,7 @@ whereas manual security testing of high-risk components requires good knowledge
 
 Sections:
 
-6.2.1 [Zed Attack Proxy](01-zap.md)  
+6.2.1 [DAST](01-dast.md)  
 6.2.2 [Amass](02-amass.md)  
 6.2.3 [Offensive Web Testing Framework](03-owtf.md)  
 6.2.4 [Nettacker](04-nettacker.md)  

draft/08-verification/02-tools/toc.md

@@ -55,7 +55,7 @@ Sections:
 6.1.2 [MAS Testing Guide](01-guides/02-mastg.md)  
 6.1.3 [Application Security Verification Standard](01-guides/03-asvs.md)  
 6.2 [Tools](02-tools/toc.md)  
-6.2.1 [Zed Attack Proxy](02-tools/01-zap.md)  
+6.2.1 [DAST](02-tools/01-dast.md)  
 6.2.2 [Amass](02-tools/02-amass.md)  
 6.2.3 [Offensive Web Testing Framework](02-tools/03-owtf.md)  
 6.2.4 [Nettacker](02-tools/04-nettacker.md)  

draft/08-verification/toc.md

@@ -79,7 +79,7 @@ This draft version has the latest contributions to the Developer Guide so expect
 6.1.2 [MAS Testing Guide](08-verification/01-guides/02-mastg.md)  
 6.1.3 [Application Security Verification Standard](08-verification/01-guides/03-asvs.md)  
 6.2 [Tools](08-verification/02-tools/toc.md)  
-6.2.1 [Zed Attack Proxy](08-verification/02-tools/01-zap.md)  
+6.2.1 [DAST](08-verification/02-tools/01-dast.md)  
 6.2.2 [Amass](08-verification/02-tools/02-amass.md)  
 6.2.3 [Offensive Web Testing Framework](08-verification/02-tools/03-owtf.md)  
 6.2.4 [Nettacker](08-verification/02-tools/04-nettacker.md)