πŸ”Ή
DAST
Dynamic application security testing (DAST) is a process of testing an operating application or software product in order to identify potential security vulnerabilities and architectural weaknesses.
CloudDefense DAST scans are performed on a runtime application using our fully packaged Docker image without any additional software installation. Please make sure you have the following prerequisites before running the scans.

Prerequisites

    Install CLI​
    Install Docker if not already present.
      Version: 18.x or greater

What is DAST?

A segment covered by Tanya Janca, an AppSec celebrity best known for founding We Hack Purple.
This video covers what DAST (Dynamic Application Security Testing) is, and how to leverage pen-testing/DAST scanning into your application security process.
1
https://www.youtube.com/watch?v=EWYHBLnKlP4
Copied!
Your source code or application doesn't leave your environment, Cloud Defense doesn't store or have any kind of access to it.

Example

Run the following command from your console
1
cdefense dast --api-key=<YOUR_API_KEY> \
2
--url="application url" --project-name="my-python-project"
Copied!
Run the following command for URLs with authentication
1
cdefense dast --api-key=<YOUR_API_KEY> \
2
--url="application url" --project-name="my-python-project" \
3
--login-url=https://<application url>/login \
4
--username-field=<username-field> \
5
--username=<emailaddress> \
6
--password-field=password \
7
--password=<password> \
8
--auth-type=<auth-type>
Copied!
To securely enter the password use --W option
1
cdefense dast --api-key=<YOUR_API_KEY> \
2
--url="application url" --project-name="my-python-project" \
3
--login-url=https://<application url>/login \
4
--username-field=<username-field> \
5
--username=<emailaddress> \
6
--password-field=<password-field> \
7
--W \
8
--auth-type=<auth-type>
Copied!
Example
1
cdefense dast \
2
--project-name="<PROJECT NAME>" \
3
--api-key=<YOUR API KEY> \
4
--url="https://sandbox.clouddefenseai.com" \
5
--login-url="https://sandbox.clouddefenseai.com/login" \
6
--username-field=mat-input-1212 \
8
--password-field=mat-input-1000 \
9
--password=<YOUR PASSWORD>\
10
--auth-type=automatic
Copied!
How to get Username and Password ID / Fields
Options for URLs with authentication
Option
Value
Required
Description
--url
string
Yes
application url
--api-key
uuid
Yes
YOUR_API_KEY
--project-name
string
Yes
application name
--login-url
string
Yes
The login page URL
--username-field
string
Yes
The username field name
(these are usually email or username)
--password-field
string
Yes
The password field name
--username
string
Yes
The username to login
--password, --W
string
Yes
The password to login
--urls-to-include
string
No
If login url is different from application url set this value (use comma(,) to pass multiple values )
--urls-to-exclude
string
No
Urls to exclude from scanning, these are usually logout urls
(use comma(,) to pass multiple values )
--auth-type
string
No
Defaulted to token type, supported types are token and cookie
--message
string
No
​
​
Last modified 1mo ago