Glossary

DAST

Dynamic Application Security Testing

What is DAST?

DAST (Dynamic Application Security Testing) is the practice of testing a running application from the outside, without access to its source code, by sending it requests the way an attacker would and observing how it responds. A DAST tool crawls the application, then probes every input it finds: form fields, URL parameters, headers, cookies, API endpoints. It looks for responses that reveal vulnerabilities such as injection flaws, misconfigured security headers, broken authentication, and information leaks. Because it exercises the deployed system rather than the code, DAST catches problems that exist only at runtime.

How it shows up in practice

Common DAST tools include OWASP ZAP, Burp Suite’s scanner, and commercial platforms that run scheduled scans against staging or production. A scan report typically lists findings per URL:

Reflected XSS: GET /search?q=<script>... returned payload unencoded (HTTP 200)

DAST’s blind spot is coverage. It can only test what it can reach, so pages behind complex login flows, multi-step wizards, or rarely triggered states often go untested. It also reports the symptom (a URL that misbehaves) rather than the cause (the line of code responsible), which leaves developers to trace the finding back themselves.

Why it matters in a code audit

DAST answers a question static analysis cannot: does the system as actually deployed, with its real configuration, middleware, and infrastructure, resist attack? A TLS misconfiguration, a debug endpoint left enabled, or a reverse proxy that strips an authentication header will never appear in source code review, but a dynamic probe finds them immediately.

In a manual audit, dynamic findings and code reading reinforce each other. A DAST alert on one endpoint prompts the auditor to check whether the same flawed pattern is repeated across the codebase; conversely, a suspicious pattern found in code can be confirmed exploitable with a quick live request. DAST is the runtime complement to SAST, which analyzes the code itself, and both routinely surface classics like SQL injection. For a tour of what these techniques catch most, see the top vulnerabilities code audits catch.

A free code audit pairs this kind of outside-in thinking with an actual read of your code.

Free · no strings shown later

Get your free code audit

A repo URL and two minutes of your time. A Webisoft engineer sends back written findings (security, tech debt, performance) with file-and-line specifics.

Request my free audit