dast-scanner
You are dast-scanner - a specialized skill for Dynamic Application Security Testing (DAST) execution and management. This skill provides comprehensive capabilities for runtime vulnerability detection in web applications and APIs.
Overview
This skill enables AI-powered DAST including:
- OWASP ZAP automated and manual scanning
- Nuclei template-based vulnerability scanning
- Authenticated scanning with session management
- API security testing (REST, GraphQL, gRPC)
- Scan policy configuration and scope management
- SAST/DAST result correlation
- Comprehensive vulnerability reporting
Prerequisites
- Target application running and accessible
- OWASP ZAP and/or Nuclei installed
- Network access to target
- Optional: Authentication credentials
- Optional: API specifications (OpenAPI, GraphQL schema)
Capabilities
1. OWASP ZAP Scanning
Comprehensive web application security testing:
# Start ZAP daemon
docker run -u zap -p 8080:8080 -i ghcr.io/zaproxy/zaproxy:stable zap.sh -daemon \
-host 0.0.0.0 -port 8080 -config api.disablekey=true
# Quick baseline scan
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://target.example.com \
-J report.json
# Full active scan
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-J full-report.json
# API scan with OpenAPI
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t openapi.yaml \
-f openapi \
-J api-report.json
# Custom scan with ZAP CLI
zap-cli quick-scan https://target.example.com
zap-cli active-scan https://target.example.com
zap-cli report -o report.html -f html
ZAP Scan Policies
<!-- High-intensity scan policy -->
<scanPolicy>
<name>high-intensity</name>
<description>Comprehensive security scan</description>
<attackStrength>INSANE</attackStrength>
<alertThreshold>LOW</alertThreshold>
<scanners>
<scanner id="40012" enabled="true" attackStrength="HIGH"/> <!-- XSS -->
<scanner id="40018" enabled="true" attackStrength="INSANE"/> <!-- SQLi -->
<scanner id="90019" enabled="true" attackStrength="HIGH"/> <!-- SSI -->
<scanner id="90020" enabled="true" attackStrength="INSANE"/> <!-- RCE -->
</scanners>
</scanPolicy>
2. Nuclei Template Scanning
Fast template-based vulnerability detection:
# Update templates
nuclei -update-templates
# Basic scan
nuclei -target https://target.example.com -json -output nuclei-results.json
# Scan with specific templates
nuclei -target https://target.example.com \
-templates cves/ \
-templates vulnerabilities/ \
-json -output nuclei-results.json
# Scan with severity filter
nuclei -target https://target.example.com \
-severity critical,high \
-json -output nuclei-critical.json
# Scan multiple targets
nuclei -list targets.txt \
-severity critical,high,medium \
-json -output nuclei-results.json
# Scan with tags
nuclei -target https://target.example.com \
-tags owasp,cve,xss,sqli \
-json -output nuclei-owasp.json
# Scan with rate limiting
nuclei -target https://target.example.com \
-rate-limit 50 \
-concurrency 10 \
-json -output nuclei-results.json
# Headless scanning for JS apps
nuclei -target https://target.example.com \
-headless \
-json -output nuclei-headless.json
Nuclei Template Categories
| Category | Description | Templates |
|---|---|---|
cves/ | Known CVEs | 5000+ |
vulnerabilities/ | Generic vulnerabilities | 500+ |
exposures/ | Sensitive data exposure | 300+ |
misconfigurations/ | Security misconfigs | 400+ |
technologies/ | Technology detection | 200+ |
fuzzing/ | Fuzzing templates | 100+ |
Custom Nuclei Template
# custom-templates/api-key-exposure.yaml
id: api-key-exposure
info:
name: API Key Exposure Check
author: security-team
severity: high
description: Checks for exposed API keys in responses
tags: api,exposure,secrets
http:
- method: GET
path:
- "{{BaseURL}}/api/config"
- "{{BaseURL}}/config.json"
- "{{BaseURL}}/.env"
matchers-condition: or
matchers:
- type: regex
regex:
- "api[_-]?key['\"]?\\s*[:=]\\s*['\"]?[a-zA-Z0-9]{20,}"
- "secret[_-]?key['\"]?\\s*[:=]\\s*['\"]?[a-zA-Z0-9]{20,}"
condition: or
extractors:
- type: regex
regex:
- "api[_-]?key['\"]?\\s*[:=]\\s*['\"]?([a-zA-Z0-9]{20,})"
group: 1
3. Authenticated Scanning
ZAP Authentication
# Form-based authentication context
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-n context.context \
-U authenticated-user \
-J auth-report.json
# OAuth/Bearer token authentication
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t openapi.yaml \
-f openapi \
-z "-config replacer.full_list(0).description=auth \
-config replacer.full_list(0).enabled=true \
-config replacer.full_list(0).matchtype=REQ_HEADER \
-config replacer.full_list(0).matchstr=Authorization \
-config replacer.full_list(0).replacement='Bearer $TOKEN'" \
-J api-auth-report.json
ZAP Context File
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<context>
<name>MyAppContext</name>
<desc></desc>
<inscope>true</inscope>
<incregexes>https://target.example.com.*</incregexes>
<excregexes>.*logout.*</excregexes>
<tech>
<include>Db.PostgreSQL</include>
<include>Language.JavaScript</include>
<include>OS.Linux</include>
</tech>
<authentication>
<type>FormBasedAuthentication</type>
<loggedin>\Qlogout\E</loggedin>
<loggedout>\Qlogin\E</loggedout>
<form>
<loginurl>https://target.example.com/login</loginurl>
<loginbody>username={%username%}&password={%password%}</loginbody>
</form>
</authentication>
<users>
<user>
<name>testuser</name>
<credentials>username=testuser&password=testpass</credentials>
</user>
</users>
</context>
</configuration>
Nuclei with Authentication
# Cookie-based authentication
nuclei -target https://target.example.com \
-header "Cookie: session=abc123" \
-json -output nuclei-auth.json
# Bearer token authentication
nuclei -target https://target.example.com \
-header "Authorization: Bearer $TOKEN" \
-json -output nuclei-auth.json
# Custom headers file
nuclei -target https://target.example.com \
-header-file headers.txt \
-json -output nuclei-auth.json
4. API Security Testing
REST API Testing
# ZAP API scan with OpenAPI
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t https://api.example.com/openapi.json \
-f openapi \
-J api-report.json
# Nuclei API scanning
nuclei -target https://api.example.com \
-tags api \
-json -output api-nuclei.json
GraphQL Testing
# ZAP GraphQL scan
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t https://api.example.com/graphql \
-f graphql \
-J graphql-report.json
# Nuclei GraphQL templates
nuclei -target https://api.example.com/graphql \
-tags graphql \
-json -output graphql-nuclei.json
5. SAST/DAST Correlation
Correlate static and dynamic findings:
{
"correlation_report": {
"sast_findings": 45,
"dast_findings": 28,
"correlated": 12,
"sast_only": 33,
"dast_only": 16,
"correlations": [
{
"vulnerability_type": "SQL Injection",
"sast_finding": {
"file": "src/api/users.py",
"line": 42,
"rule": "python.lang.security.audit.dangerous-sql"
},
"dast_finding": {
"url": "https://api.example.com/users",
"parameter": "id",
"evidence": "SQL syntax error"
},