Back to Details

dast-scanning

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

DAST Scanning

DAST 扫描

Test running applications for security vulnerabilities through dynamic analysis.
通过动态分析检测运行中应用的安全漏洞。

When to Use This Skill

何时使用该技能

Use this skill when:
  • Testing deployed applications
  • Performing automated security scans
  • Finding runtime vulnerabilities
  • Testing authentication flows
  • Validating API security
使用该技能的场景:
  • 测试已部署的应用
  • 执行自动化安全扫描
  • 发现运行时漏洞
  • 测试认证流程
  • 验证API安全性

Prerequisites

前提条件

  • Running application instance
  • Network access to target
  • Testing authorization
  • Understanding of web security
  • 运行中的应用实例
  • 目标应用的网络访问权限
  • 测试授权机制
  • 具备Web安全知识

Tool Overview

工具概览

ToolTypeBest For
OWASP ZAPOSSAutomated scanning, CI
Burp SuiteCommercialManual testing, advanced
NiktoOSSWeb server scanning
NucleiOSSTemplate-based scanning
ArachniOSSComprehensive scanning
工具类型最佳适用场景
OWASP ZAPOSS自动化扫描、CI集成
Burp SuiteCommercial手动测试、高级分析
NiktoOSSWeb服务器扫描
NucleiOSS基于模板的扫描
ArachniOSS全面扫描

OWASP ZAP

OWASP ZAP

Docker Setup

Docker 部署

bash
undefined
bash
undefined

Run ZAP in daemon mode

Run ZAP in daemon mode

docker run -d --name zap
-p 8080:8080
-v $(pwd)/reports:/zap/reports
ghcr.io/zaproxy/zaproxy:stable
zap.sh -daemon -host 0.0.0.0 -port 8080
-config api.addrs.addr.name=.*
-config api.addrs.addr.regex=true
undefined
docker run -d --name zap
-p 8080:8080
-v $(pwd)/reports:/zap/reports
ghcr.io/zaproxy/zaproxy:stable
zap.sh -daemon -host 0.0.0.0 -port 8080
-config api.addrs.addr.name=.*
-config api.addrs.addr.regex=true
undefined

Baseline Scan

基线扫描

bash
undefined
bash
undefined

Quick baseline scan

Quick baseline scan

docker run --rm -v $(pwd):/zap/wrk
ghcr.io/zaproxy/zaproxy:stable
zap-baseline.py -t https://target.example.com
-r baseline-report.html
docker run --rm -v $(pwd):/zap/wrk
ghcr.io/zaproxy/zaproxy:stable
zap-baseline.py -t https://target.example.com
-r baseline-report.html
undefined

With authentication

带认证的扫描

docker run --rm -v $(pwd):/zap/wrk
ghcr.io/zaproxy/zaproxy:stable
zap-baseline.py -t https://target.example.com
-r report.html
--auth-login-url https://target.example.com/login
--auth-username user
--auth-password pass
undefined
bash
docker run --rm -v $(pwd):/zap/wrk \
  ghcr.io/zaproxy/zaproxy:stable \
  zap-baseline.py -t https://target.example.com \
  -r report.html \
  --auth-login-url https://target.example.com/login \
  --auth-username user \
  --auth-password pass

Full Scan

全面扫描

bash
undefined
bash
undefined

Comprehensive scan

Comprehensive scan

docker run --rm -v $(pwd):/zap/wrk
ghcr.io/zaproxy/zaproxy:stable
zap-full-scan.py -t https://target.example.com
-r full-report.html
-J full-report.json
undefined
docker run --rm -v $(pwd):/zap/wrk
ghcr.io/zaproxy/zaproxy:stable
zap-full-scan.py -t https://target.example.com
-r full-report.html
-J full-report.json
undefined

API Scan

API扫描

bash
undefined
bash
undefined

OpenAPI specification scan

OpenAPI specification scan

docker run --rm -v $(pwd):/zap/wrk
ghcr.io/zaproxy/zaproxy:stable
zap-api-scan.py -t https://target.example.com/openapi.json
-f openapi
-r api-report.html
undefined
docker run --rm -v $(pwd):/zap/wrk
ghcr.io/zaproxy/zaproxy:stable
zap-api-scan.py -t https://target.example.com/openapi.json
-f openapi
-r api-report.html
undefined

ZAP Automation Framework

ZAP 自动化框架

yaml
undefined
yaml
undefined

zap-automation.yaml

zap-automation.yaml

env: contexts: - name: "Default Context" urls: - "https://target.example.com" includePaths: - "https://target.example.com/." excludePaths: - "https://target.example.com/logout." authentication: method: "form" parameters: loginUrl: "https://target.example.com/login" loginRequestData: "username={%username%}&password={%password%}" verification: method: "response" loggedInRegex: "\QWelcome\E" users: - name: "testuser" credentials: username: "test@example.com" password: "password123"
jobs:
  • type: spider parameters: context: "Default Context" user: "testuser" maxDuration: 10
  • type: spiderAjax parameters: context: "Default Context" user: "testuser" maxDuration: 10
  • type: passiveScan-wait parameters: maxDuration: 5
  • type: activeScan parameters: context: "Default Context" user: "testuser" policy: "Default Policy"
  • type: report parameters: template: "traditional-html" reportDir: "/zap/reports" reportFile: "zap-report"

```bash
env: contexts: - name: "Default Context" urls: - "https://target.example.com" includePaths: - "https://target.example.com/." excludePaths: - "https://target.example.com/logout." authentication: method: "form" parameters: loginUrl: "https://target.example.com/login" loginRequestData: "username={%username%}&password={%password%}" verification: method: "response" loggedInRegex: "\QWelcome\E" users: - name: "testuser" credentials: username: "test@example.com" password: "password123"
jobs:
  • type: spider parameters: context: "Default Context" user: "testuser" maxDuration: 10
  • type: spiderAjax parameters: context: "Default Context" user: "testuser" maxDuration: 10
  • type: passiveScan-wait parameters: maxDuration: 5
  • type: activeScan parameters: context: "Default Context" user: "testuser" policy: "Default Policy"
  • type: report parameters: template: "traditional-html" reportDir: "/zap/reports" reportFile: "zap-report"

```bash

Run automation

Run automation

docker run --rm -v $(pwd):/zap/wrk
ghcr.io/zaproxy/zaproxy:stable
zap.sh -cmd -autorun /zap/wrk/zap-automation.yaml
undefined
docker run --rm -v $(pwd):/zap/wrk
ghcr.io/zaproxy/zaproxy:stable
zap.sh -cmd -autorun /zap/wrk/zap-automation.yaml
undefined

CI/CD Integration

CI/CD 集成

GitHub Actions

GitHub Actions

yaml
name: DAST Scan

on:
  workflow_dispatch:
  schedule:
    - cron: '0 2 * * *'

jobs:
  dast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Start Application
        run: |
          docker-compose up -d
          sleep 30  # Wait for app to be ready

      - name: OWASP ZAP Scan
        uses: zaproxy/action-full-scan@v0.8.0
        with:
          target: 'http://localhost:8080'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'

      - name: Upload Report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: zap-report
          path: report_html.html
yaml
name: DAST Scan

on:
  workflow_dispatch:
  schedule:
    - cron: '0 2 * * *'

jobs:
  dast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Start Application
        run: |
          docker-compose up -d
          sleep 30  # Wait for app to be ready

      - name: OWASP ZAP Scan
        uses: zaproxy/action-full-scan@v0.8.0
        with:
          target: 'http://localhost:8080'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'

      - name: Upload Report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: zap-report
          path: report_html.html

GitLab CI

GitLab CI

yaml
dast:
  stage: security
  image: ghcr.io/zaproxy/zaproxy:stable
  variables:
    TARGET_URL: $DAST_TARGET_URL
  script:
    - mkdir -p /zap/wrk/reports
    - zap-baseline.py -t $TARGET_URL -r /zap/wrk/reports/zap-report.html -I
  artifacts:
    paths:
      - reports/
    expire_in: 1 week
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
yaml
dast:
  stage: security
  image: ghcr.io/zaproxy/zaproxy:stable
  variables:
    TARGET_URL: $DAST_TARGET_URL
  script:
    - mkdir -p /zap/wrk/reports
    - zap-baseline.py -t $TARGET_URL -r /zap/wrk/reports/zap-report.html -I
  artifacts:
    paths:
      - reports/
    expire_in: 1 week
  rules:
    - if: $CI_COMMIT_BRANCH == "main"

Burp Suite Automation

Burp Suite 自动化

REST API Usage

REST API 使用

python
import requests

class BurpScanner:
    def __init__(self, api_url, api_key):
        self.api_url = api_url
        self.headers = {'Authorization': api_key}
    
    def create_scan(self, target_url):
        """Create and start a new scan."""
        payload = {
            'scan_configurations': [
                {'name': 'Crawl and Audit - Balanced'}
            ],
            'scope': {
                'include': [{'rule': target_url}]
            },
            'urls': [target_url]
        }
        response = requests.post(
            f'{self.api_url}/v0.1/scan',
            json=payload,
            headers=self.headers
        )
        return response.headers.get('Location')
    
    def get_scan_status(self, scan_id):
        """Get scan status."""
        response = requests.get(
            f'{self.api_url}/v0.1/scan/{scan_id}',
            headers=self.headers
        )
        return response.json()
    
    def get_issues(self, scan_id):
        """Get scan issues."""
        response = requests.get(
            f'{self.api_url}/v0.1/scan/{scan_id}/issues',
            headers=self.headers
        )
        return response.json()
python
import requests

class BurpScanner:
    def __init__(self, api_url, api_key):
        self.api_url = api_url
        self.headers = {'Authorization': api_key}
    
    def create_scan(self, target_url):
        """Create and start a new scan."""
        payload = {
            'scan_configurations': [
                {'name': 'Crawl and Audit - Balanced'}
            ],
            'scope': {
                'include': [{'rule': target_url}]
            },
            'urls': [target_url]
        }
        response = requests.post(
            f'{self.api_url}/v0.1/scan',
            json=payload,
            headers=self.headers
        )
        return response.headers.get('Location')
    
    def get_scan_status(self, scan_id):
        """Get scan status."""
        response = requests.get(
            f'{self.api_url}/v0.1/scan/{scan_id}',
            headers=self.headers
        )
        return response.json()
    
    def get_issues(self, scan_id):
        """Get scan issues."""
        response = requests.get(
            f'{self.api_url}/v0.1/scan/{scan_id}/issues',
            headers=self.headers
        )
        return response.json()

Usage

Usage

scanner = BurpScanner('http://burp:1337', 'api-key') scan_id = scanner.create_scan('https://target.example.com')
while True: status = scanner.get_scan_status(scan_id) if status['scan_status'] == 'succeeded': break time.sleep(30)
issues = scanner.get_issues(scan_id)
undefined
scanner = BurpScanner('http://burp:1337', 'api-key') scan_id = scanner.create_scan('https://target.example.com')
while True: status = scanner.get_scan_status(scan_id) if status['scan_status'] == 'succeeded': break time.sleep(30)
issues = scanner.get_issues(scan_id)
undefined

Nikto

Nikto

Basic Scanning

基础扫描

bash
undefined
bash
undefined

Install

Install

apt-get install nikto
apt-get install nikto

Basic scan

Basic scan

nikto -h https://target.example.com
nikto -h https://target.example.com

With specific options

With specific options

nikto -h https://target.example.com
-ssl
-Tuning 123bde
-output nikto-report.html
-Format html
nikto -h https://target.example.com
-ssl
-Tuning 123bde
-output nikto-report.html
-Format html

Scan specific ports

Scan specific ports

nikto -h target.example.com -p 80,443,8080
undefined
nikto -h target.example.com -p 80,443,8080
undefined

Common DAST Findings

常见DAST检测结果

OWASP Top 10

OWASP Top 10

yaml
owasp_findings:
  A01_Broken_Access_Control:
    - IDOR vulnerabilities
    - Missing function-level access control
    - Privilege escalation
    
  A02_Cryptographic_Failures:
    - Sensitive data in URLs
    - Missing HTTPS
    - Weak ciphers
    
  A03_Injection:
    - SQL injection
    - Command injection
    - XSS
    
  A05_Security_Misconfiguration:
    - Default credentials
    - Verbose error messages
    - Missing security headers
    
  A07_Auth_Failures:
    - Weak passwords accepted
    - Session fixation
    - Missing MFA
yaml
owasp_findings:
  A01_Broken_Access_Control:
    - IDOR vulnerabilities
    - Missing function-level access control
    - Privilege escalation
    
  A02_Cryptographic_Failures:
    - Sensitive data in URLs
    - Missing HTTPS
    - Weak ciphers
    
  A03_Injection:
    - SQL injection
    - Command injection
    - XSS
    
  A05_Security_Misconfiguration:
    - Default credentials
    - Verbose error messages
    - Missing security headers
    
  A07_Auth_Failures:
    - Weak passwords accepted
    - Session fixation
    - Missing MFA

Security Headers Check

安全头检查

bash
undefined
bash
undefined

Check security headers

Check security headers

curl -I https://target.example.com | grep -i "x-|content-security|strict"
curl -I https://target.example.com | grep -i "x-|content-security|strict"

Expected headers:

Expected headers:

X-Content-Type-Options: nosniff

X-Content-Type-Options: nosniff

X-Frame-Options: DENY

X-Frame-Options: DENY

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; mode=block

Content-Security-Policy: default-src 'self'

Content-Security-Policy: default-src 'self'

Strict-Transport-Security: max-age=31536000

Strict-Transport-Security: max-age=31536000

undefined
undefined

Custom Test Cases

自定义测试用例

yaml
undefined
yaml
undefined

Test authentication

Test authentication

tests:
  • name: "Authentication Bypass" steps:
    • Access protected resource without auth
    • Verify 401/403 response
    • Access with valid auth
    • Verify 200 response
  • name: "Session Management" steps:
    • Login and capture session token
    • Logout
    • Attempt to use old session
    • Verify session invalidated
  • name: "Input Validation" steps:
    • Submit XSS payload in all inputs
    • Submit SQL injection in all inputs
    • Verify proper sanitization
undefined
tests:
  • name: "Authentication Bypass" steps:
    • Access protected resource without auth
    • Verify 401/403 response
    • Access with valid auth
    • Verify 200 response
  • name: "Session Management" steps:
    • Login and capture session token
    • Logout
    • Attempt to use old session
    • Verify session invalidated
  • name: "Input Validation" steps:
    • Submit XSS payload in all inputs
    • Submit SQL injection in all inputs
    • Verify proper sanitization
undefined

Common Issues

常见问题

Issue: False Positives

问题:误报

Problem: Scanner reports non-vulnerabilities Solution: Configure scan policy, review findings manually
问题描述:扫描器报告不存在的漏洞 解决方案:配置扫描策略,手动复核检测结果

Issue: Missing Authentication

问题:认证缺失

Problem: Cannot scan authenticated areas Solution: Configure authentication context, use session tokens
问题描述:无法扫描需要认证的区域 解决方案:配置认证上下文,使用会话令牌

Issue: Incomplete Coverage

问题:覆盖不完整

Problem: Scanner misses endpoints Solution: Import API specs, improve spidering, use authenticated scanning
问题描述:扫描器遗漏部分端点 解决方案:导入API规范,优化爬虫配置,使用认证扫描

Best Practices

最佳实践

  • Test in staging environment first
  • Configure proper authentication
  • Import API specifications for complete coverage
  • Review findings before reporting
  • Combine with manual testing
  • Run regular scans (weekly minimum)
  • Track findings over time
  • Coordinate with development team
  • 首先在预发布环境测试
  • 配置正确的认证机制
  • 导入API规范以实现全面覆盖
  • 报告前复核检测结果
  • 结合手动测试
  • 定期执行扫描(至少每周一次)
  • 跟踪漏洞的时间变化
  • 与开发团队协作

Related Skills

相关技能

  • sast-scanning - Static analysis
  • penetration-testing - Manual testing
  • waf-setup - WAF configuration
  • sast-scanning - 静态分析
  • penetration-testing - 手动测试
  • waf-setup - WAF配置