DAST (Dynamic Application Security Testing) Setup for Website

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Development and maintenance of all types of websites:

Informational websites or web applications

Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators

E-commerce websites or web applications

Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers

Business process management web applications

CRM systems, ERP systems, corporate portals, production management systems, information parsers

Electronic service websites or web applications

Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services

Showing 1 of 1 servicesAll 2065 services

DAST (Dynamic Application Security Testing) Setup for Website

Medium

~3-5 business days

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

Development of a web application for FEEDME
1161
Development of an online store for the company FURNORO
1041
Development of a web application for Enviok
822
CRM development for Chasseurs
847
Website development for SBH Partners
999
Website development for Red Pear
451

Show more works

DAST: Dynamic Application Security Testing

DAST (Dynamic Application Security Testing) tests running application — attacks like external attacker. Finds vulnerabilities SAST doesn't see: server misconfiguration, runtime vulnerabilities, authentication problems.

OWASP ZAP

# Baseline scan: quick check (5-10 minutes)
docker run --rm \
  -v $(pwd)/reports:/zap/wrk:rw \
  ghcr.io/zaproxy/zaproxy:stable \
  zap-baseline.py \
  -t https://staging.mysite.com \
  -r zap-baseline-report.html \
  -J zap-baseline-report.json \
  -l WARN  # Only WARNING and above

# Full scan: active scanning (30-60 minutes)
docker run --rm \
  -v $(pwd)/reports:/zap/wrk:rw \
  ghcr.io/zaproxy/zaproxy:stable \
  zap-full-scan.py \
  -t https://staging.mysite.com \
  -r zap-full-report.html \
  -J zap-full-report.json

# API scan: test by OpenAPI specification
docker run --rm \
  -v $(pwd)/reports:/zap/wrk:rw \
  ghcr.io/zaproxy/zaproxy:stable \
  zap-api-scan.py \
  -t https://api.staging.mysite.com/openapi.json \
  -f openapi \
  -r zap-api-report.html

GitHub Actions: ZAP in CI/CD

# .github/workflows/dast.yml
name: DAST

on:
  push:
    branches: [main]
  schedule:
    - cron: '0 2 * * 1'  # Weekly at 2:00

jobs:
  zap-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Start application
        run: |
          docker compose -f docker-compose.test.yml up -d
          sleep 30  # Wait for startup

      - name: Run ZAP Baseline Scan
        uses: zaproxy/[email protected]
        with:
          target: http://localhost:3000
          rules_file_name: .zap/rules.tsv
          cmd_options: '-a'  # Active scanning

      - name: Upload ZAP report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: zap-report
          path: report_html.html

      - name: Stop application
        if: always()
        run: docker compose -f docker-compose.test.yml down

# .zap/rules.tsv: configure rules (WARN/IGNORE/FAIL)
# rule_id  action  reason
10017      WARN    # X-Frame-Options header — warning
10038      WARN    # Content Security Policy — warning
40012      FAIL    # Cross Site Scripting — critical
40018      FAIL    # SQL Injection — critical
90011      IGNORE  # Charset mismatch — ignore

Nuclei: CVE Template Scanning

# Installation
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Update templates
nuclei -update-templates

# Scan for critical vulnerabilities
nuclei -u https://staging.mysite.com \
  -severity critical,high \
  -tags cve,owasp \
  -o nuclei-results.txt \
  -json-export nuclei-results.json

# Scan by category
nuclei -u https://staging.mysite.com \
  -tags sqli,xss,ssrf,rce \
  -rate-limit 50 \
  -timeout 10

Burp Suite: Manual Testing

# Burp Suite API: run scan via REST API
import requests

BURP_API = "http://localhost:1337/v0.1"

# Create new scan
response = requests.post(f"{BURP_API}/scan", json={
    "urls": ["https://staging.mysite.com"],
    "scope": {
        "include": [{"rule": "https://staging.mysite.com/.*"}],
    },
    "scan_configurations": [
        {"name": "Crawl and Audit - Balanced"}
    ]
})

scan_id = response.json()["task_id"]
print(f"Scan ID: {scan_id}")

DAST for API: Rules

DAST is especially important for APIs:

Authorization testing: access to others' resources (IDOR)
Injection through all input points
Business logic flaws (bypass restrictions)

# Platform for API security testing
# OWASP ZAP + Postman Collection
zap-cli --port 8090 start
zap-cli --port 8090 open-url https://api.staging.mysite.com
zap-cli --port 8090 spider https://api.staging.mysite.com
zap-cli --port 8090 active-scan https://api.staging.mysite.com
zap-cli --port 8090 report -o api-security-report.html -f html

DAST is conducted on staging environment, not production. Active scanning creates load and may modify data.

Setting up DAST pipeline with ZAP in GitHub Actions — 1–2 business days.