Skip to main content

Dynamic Analysis (DAST)

What is DAST?

DAST is a complement to SAST, not a replacement

SAST looks at the code and DAST looks at the running app. The two must be applied together to reduce blind spots.

Definition: Sends actual HTTP requests to a running application to detect runtime vulnerabilities such as SQL injection, XSS, authentication bypass, and sensitive information disclosure.

Differences from SAST: SAST detects quickly during the code writing phase but cannot determine runtime behavior. DAST verifies actual behavior after deployment, helping you discover vulnerabilities that SAST misses.

Tool Comparison

toolsFeaturesMain usesLicense
OWASP ZAPSupports all industry standards, GUI, and automationFull scan of web app/APIApache-2.0
NucleiTemplate-based, fast, lightweightScan for known vulnerability patternsMIT

We recommend OWASP ZAP for deep web app scanning, and Nuclei for quick checks for known CVE·unconfigured vulnerabilities.

OWASP ZAP settings

GitHub Actions

# .github/workflows/dast-zap.yml

name: DAST — OWASP ZAP

on:
  push:
    branches: [main]

jobs:
  zap:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      # run app (e.g., Docker Compose)
      - name: Start application
        run: |
          docker compose up -d
          sleep 10  # wait for app startup

      # ZAP Baseline scan (baseline vulnerability detection without manual intervention)
      - name: ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.12.0
        with:
          target: http://localhost:8080
          rules_file_name: zap-rules.tsv
          fail_action: true

      # ZAP API scan (based on OpenAPI spec)
      - name: ZAP API Scan
        uses: zaproxy/action-api-scan@v0.7.0
        with:
          target: http://localhost:8080/api/openapi.json
          format: openapi
          fail_action: true

      - name: Upload ZAP report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: zap-report
          path: report_html.html

Select scan type

Scan TypeActionTime requiredRecommended Situation
Baselineaction-baseline2~5 minutesBasic inspection per PR
API Scanaction-api-scan5~15 minutesOpenAPI When there is a specification
Full Scanaction-full-scan20 minutes+In-depth pre-release inspection

We recommend a dual strategy of running Baseline during the PR phase and Full Scan before release.

Rules file settings

Rules to ignore or fail specific notifications are managed in the zap-rules.tsv file.

# zap-rules.tsv
10016	IGNORE	(Browser XSS protection header — legacy browser support not required)
10020	WARN	(X-Frame-Options header not set)
10021	FAIL	(Anti-CSRF token not set)

You can specify processing for each item at three levels: IGNORE·WARN·FAIL.

Nuclei settings

GitHub Actions

# .github/workflows/dast-nuclei.yml

name: DAST — Nuclei

on:
  push:
    branches: [main]

jobs:
  nuclei:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Start application
        run: |
          docker compose up -d
          sleep 10

      - name: Run Nuclei
        uses: projectdiscovery/nuclei-action@main
        with:
          target: http://localhost:8080
          templates: cves,misconfiguration,exposures
          severity: medium,high,critical
          fail-on-severity: high

      - name: Upload Nuclei report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: nuclei-report
          path: nuclei.log

Main template categories

CategoryDescription
cvesKnown CVE vulnerability patterns
misconfigurationSecurity settings error
exposuresSensitive information/file exposure
default-loginsDefault account/password
takeoversPossibility of subdomain hijacking

Precautions when introducing DAST

Be sure to run DAST in an isolated test environment.

Environment Separation: Because DAST sends actual HTTP requests, running it in a production environment may cause data corruption and service disruption. Be sure to run it only in a staging/testing environment.

Authentication Settings: Endpoints that require authentication must pass a token through ZAP's authentication settings or Nuclei's header option to ensure coverage.

False positive management: DAST has a higher false positive rate than SAST. We recommend a phased approach, starting with WARN and switching to FAIL after reviewing the results.

Next steps