DAST
Dynamic application security testing (DAST) is a process of testing an operating application or software product in order to identify potential security vulnerabilities and architectural weaknesses.
VirSec DevSecOps DAST scans are performed on a run-time application using our fully packaged Docker image without any additional software installation. Please make sure you have the following prerequisites before running the scans.
PREREQUISITES
NOTE:
Your source code doesn't leave your environment, Virsec DevSecOps doesn't store or have any kind of access to it.
Example
Run the following command from your console
vsp_defense dast --api-key=<YOUR_API_KEY> --url="application url" --project-name="my-pythom-project"
Run the following command for URLs with authentication
vsp_defense dast --api-key=<YOUR_API_KEY> \
--url="application url" --project-name="my-python-project" \
--login-url=https://<application url>/login \
--username-field=<username-field> \
--username=<emailaddress> \
--password-field=password \
--password=<password> \
--auth-type=<auth-type>
To securely enter the password use --W option
vsp_defense dast --api-key=<YOUR_API_KEY> \
--url="application url" --project-name="my-python-project" \
--login-url=https://<application url>/login \
--username-field=<username-field> \
--username=<emailaddress> \
--password-field=password \
--W \
--auth-type=<auth-type>
Example
vsp_defense dast \
--project-name=" PROJECT NAME" \
--api-key=" YOUR API KEY" \
--url="https://sandbox.clouddefenseai.com" \
--login-url="https://sandbox.clouddefenseai.com/login" \
--username-field=mat-input-1212 \
--password-field=mat-input-1000 \
-password=>YOUR PASSWORD>\
--auth-type=automatic
How to get Username and Password ID / Fields
Options for URLs with authentication
|
Options |
Value |
Required |
Description |
|
--url |
string |
Yes |
application url |
|
--api-key |
uuid |
Yes |
YOUR_API_KEY |
|
--project-name |
string |
Yes |
application name |
|
--login-url |
string |
Yes |
The login page URL |
|
--username-field |
string |
Yes |
The username field name (these are usually email or username) |
|
--username |
string |
Yes |
The password field name |
|
--username |
string |
Yes |
The username to login |
|
--password, --W |
string |
Yes |
The password to login |
|
--urls-to-include |
string |
No |
If login url is different from application url set this value (use comma(,) to pass multiple values ) |
|
--urls-to-exclude |
string |
No |
Urls to exclude from scanning, these are usually logout urls (use comma(,) to pass multiple values ) |
|
--auth-type |
string |
No |
Defaulted to token type, supported types are token and cookie |
|
--message |
string |
No |
|