DAST

Dynamic application security testing (DAST) is a process of testing an operating application or software product in order to identify potential security vulnerabilities and architectural weaknesses.

CloudDefense DAST scans are performed on a runtime application using our fully packaged Docker image without any additional software installation. Please make sure you have the following prerequisites before running the scans.

Prerequisites

  • Install CLI

  • Install Docker if not already present.

    • Version: 18.x or greater

Your source code or application doesn't leave your environment, Cloud Defense doesn't store or have any kind of access to it.

Example

Run the following command from your console

cdefense dast --api-key=<YOUR_API_KEY> \
--url="application url" --project-name="my-python-project"

Run the following command for URLs with authentication

cdefense dast --api-key=<YOUR_API_KEY> \
--url="application url" --project-name="my-python-project" \
--login-url=https://<application url>/login \
--username-field=<username-field> \
--username=<emailaddress> \
--password-field=password \
--password=<password> \
--urls-to-include=<urls-to-include> \
--urls-to-exclude=<urls-to-exclude> \
--auth-type=<auth-type>

To securely enter the password use --W option

cdefense dast --api-key=<YOUR_API_KEY> \
--url="application url" --project-name="my-python-project" \
--login-url=https://<application url>/login \
--username-field=<username-field> \
--username=<emailaddress> \
--password-field=password \
--W \
--urls-to-include=<urls-to-include> \
--urls-to-exclude=<urls-to-exclude> \
--auth-type=<auth-type>

Options for URLs with authentication

Option

Value

Required

Description

--url

string

Yes

application url

--api-key

uuid

Yes

YOUR_API_KEY

--project-name

string

Yes

application name

--login-url

string

Yes

The login page URL

--username-field

string

Yes

The username field name

(these are usually email or username)

--password-field

string

Yes

The password field name

--username

string

Yes

The username to login

--password, --W

string

Yes

The password to login

--urls-to-include

string

No

If login url is different from application url set this value (use comma(,) to pass multiple values )

--urls-to-exclude

string

No

Urls to exclude from scanning, these are usually logout urls

(use comma(,) to pass multiple values )

--auth-type

string

No

Defaulted to token type, supported types are token and cookie