Services

AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital

Industries

Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty

References Technologies

Lab

Blog Know-how Tools

About Collaboration Careers

CS EN DE

DAST Tools — Dynamic Analysis

27. 02. 2024 1 min read intermediate

DAST tests a running application from the outside — like an attacker. It finds runtime vulnerabilities that SAST cannot see.

OWASP ZAP¶

Docker — automatic scan¶

docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \ -t https://target.com -r report.html

Full scan¶

docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \ -t https://target.com

Nuclei¶

Installation¶

go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Scanning¶

nuclei -u https://target.com -t cves/ nuclei -u https://target.com -t vulnerabilities/

CI/CD¶

GitHub Actions — ZAP baseline¶

name: ZAP Scan uses: zaproxy/[email protected] with: target: ‘https://staging.example.com’

Key Takeaway¶

DAST = testing a running application. ZAP for web apps, Nuclei for infra. Combine with SAST for complete coverage.

securitydasttestingzap

Share:

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

More know-how

DevSecOps — Security in Every Step of the CI/CD Pipeline

Security as an afterthought is expensive. How we integrated SAST, DAST, dependency scanning, and compliance checks...

Burp Suite Basics — Web Security Testing

How to use Burp Suite for web application testing.

Kubernetes RBAC — Access Control in a Multi-Tenant Cluster

RBAC in Kubernetes 1.6 finally enables granular access control. How we set up isolation for multiple teams in a...