Security Intermediate

What is DAST (Dynamic Application Security Testing)?

Testing a running application from the outside by sending malicious requests to discover security vulnerabilities.

DAST tools probe running applications like an attacker would — sending crafted requests to find SQL injection, XSS, authentication flaws, and misconfigurations. Tools include OWASP ZAP (free), Burp Suite, Nikto, and commercial solutions like Acunetix. DAST is language-agnostic since it tests the running application through its interfaces. It finds real, exploitable vulnerabilities with low false positive rates. However, DAST cannot pinpoint the vulnerable code line, requires a running environment, and may miss vulnerabilities in untested code paths. Best practice combines SAST (inside-out) with DAST (outside-in) for comprehensive coverage.

Learn More About This Topic

Cybersecurity Fundamentals

Related reading

Linux Security Auditing

Related reading

Linux Security Hardening

Related reading

Related Terms

Content Security Policy (CSP)

An HTTP security header that controls which resources a browser is allowed to load for a web page, preventing XSS and data injection.

Configuration entries that define which network traffic is allowed or blocked based on source, destination, port, and protocol.

An authorization framework that allows third-party applications to access user resources without sharing passwords.

Practices and mechanisms for protecting APIs from unauthorized access, data breaches, and abuse.

A systematic examination of an information system to assess compliance with security policies, identify vulnerabilities, and verify controls.

Session Hijacking

An attack where an adversary takes over a legitimate user session by stealing or predicting the session identifier.

View All Security Terms →