| Dev PortalfAST Dynamic checkers
This reference lists all active and passive checkers used by fAST Dynamic to detect security vulnerabilities in web applications and APIs.
The fAST Dynamic scan engine uses multiple checkers to detect vulnerabilities in the target web application or API.
Checkers are either active or passive:
- Active checkers directly interact with the target website or API. They will craft and send attack payloads and then observe the target web application or API's behavior in order to identify security concerns.
- To enable active checkers in scans, you must select the Perform Active Attacks checkbox when creating the DAST project. See Create and test DAST projects for web applications and APIs.
- Passive checkers do not directly interact with the target web application or API. They observe requests and responses sent to and from the fAST Dynamic scan engine.
Checkers in DAST scans
This table lists all checkers used in DAST scans by fAST Dynamic.
Each checker is assigned a unique code. To enable or disable checkers from DAST scans, add or remove checker codes from your scan-settings.json configuration file. See Fine-tune a DAST profile for more information.
Note: Certain checkers are associated with more than one class.
| Class Name | Checker Code | API/Web | Active/Passive | CWE™ * | UIC | CVSSv3 | Severity** |
|---|---|---|---|---|---|---|---|
| Path Traversal | PATHTRAV | Both | Active | CWE-73, CWE-426 | w-1630 | 5.8 | Medium |
| Weak SSL/TLS Configuration | SSL | Web | Active | CWE-327 | w-43 | 6.5 | Medium |
| Insecure Deserialization | ID | Web | Active | CWE-913 | w-1627 | 9 | Critical |
| Resource Server Does Not Correctly Validate JWTs | JWT.NOVERIFY | Both | Active | CWE-284, CWE-287, CWE-863 | w-320 | 9.1 | Critical |
| DOM-Based Cross-Site Scripting | XSS.DOM | Web | Active | CWE-79 | w-169 | 6.1 | Medium |
| Shellshock | SHELL | Web | Active | - | w-1612 | 10 | Critical |
| HTML Injection | SPOOF | Web | Active | CWE-94 | w-53 | 4.3 | Medium |
| Log4Shell | LOG4J | Web | Active | CWE-20, CWE-400, CWE-502 | w-1609 | 10 | Critical |
| Spring4Shell | S4S | Web | Active | - | w-1613 | 9.8 | Critical |
| NoSQL Injection | NOSQLI | Both | Active | CWE-943 | w-329 | 9.8 | Critical |
| Stored Cross-Site Scripting (XSS) | XSS.STO | Web | Active | CWE-79, CWE-80 | w-5 | 9.6 | Critical |
| Insecure HTTP Methods Enabled | AM | Web | Active | CWE-650, CWE-749 | w-44 | 7.3 | High |
| SSL/TLS Configuration Vulnerable to POODLE | SSL | Web | Active | CWE-326 | w-154 | 3.1 | Low |
| XML External Entity (XXE) Injection | XXE | Web | Active | CWE-611 | w-99 | 8.3 | High |
| Server-Side Request Forgery | SSRF | Both | Active | CWE-610, CWE-918 | w-290 | 7.2 | High |
| ASP.NET Debugging Enabled | ASPDEBUG | Web | Active | CWE-11, CWE-11 | w-80 | 0 | Low |
| Open Redirect | OR | Web | Active | - | w-1629 | 4.3 | Medium |
| Backup File Disclosure | BAK | Web | Active | CWE-530 | w-1618 | 5.3 | Medium |
| Unrestricted File Upload | FUP | Web | Active | - | w-1635 | 6.5 | Medium |
| Resource Server Accepts the None Algorithm for JWTs | JWT.NONE | Both | Active | CWE-287, CWE-807 | w-319 | 9.1 | Critical |
| SQL Injection | SQLI | Both | Active | CWE-89 | w-27 | 9.8 | Critical |
| Directory Search | DIR | Web | Active | - | w-1622 | 5.3 | Medium |
| PHP Code Injection | PHPI | Web | Active | CWE-95 | w-1631 | 8.6 | High |
| CORS - Authenticated Access Allowed from Arbitrary Origin | CORS | Web | Active | CWE-284, CWE-942 | w-356 | 5.4 | Medium |
| Blind SQL Injection | SQLI | Both | Active | CWE-89 | w-116 | 9.8 | Critical |
| Heartbleed | SSL | Web | Active | - | w-1626 | 7.5 | High |
| Command Injection | CMD | Both | Active | CWE-78 | w-101 | 9.8 | Critical |
| HTTP Response Splitting | HRS | Web | Active | CWE-113 | w-7 | 5.3 | Medium |
| Cross-Site WebSocket Hijacking | COWSH | Web | Active | CWE-352 | w-364 | 0 | Low |
| Cross Site Scripting | XSS | Web | Active | - | w-1620 | 6.1 | Medium |
| Reflected Cross-Site Scripting (XSS) | XSS.REF | Both | Active | CWE-79 | w-13 | 6.1 | Medium |
| Deprecated TLS Protocol Version | SSL | Web | Active | CWE-327 | w-1532 | 4.8 | Medium |
| Local File Inclusion | LFI | Web | Active | CWE-22, CWE-98 | w-399 | 7.5 | High |
| Direct Request | FILE | Web | Active | - | w-1621 | 8.6 | High |
| Frameable Resource | XFS | Web | Active | - | w-1625 | 4.3 | Medium |
| Tomcat JSP Disclosure | TOMJSPDISC | Web | Active | - | w-0 | 7.5 | High |
| HTTP Verb Tampering | AM | Both | Active | - | w-1289 | 6.5 | Medium |
| Apache Struts - S2-045 | STRUTS | Web | Active | CWE-20 | w-1615 | 9.1 | Critical |
| API Broken Object Level Authorization | APIBA | Web | Active | - | w-1616 | 7.5 | High |
| API Rate Limiting | APIRL | Web | Active | CWE-770 | w-1617 | 8.6 | High |
| Null Byte Injection | NULLBYTE | Web | Active | CWE-158 | w-113 | 5.6 | Medium |
| Sensitive Data in Query String Parameter | SESSION | Web | Passive | CWE-598 | w-57 | 3.7 | Low |
| Credit Card Number Disclosure | CCN | Web | Passive | CWE-312, CWE-319 | w-1619 | 5.8 | Medium |
| NetScalar Cookie Information Disclosure | II | Web | Passive | CWE-200, CWE-212, CWE-311 | w-1640 | 5.3 | Medium |
| Directory Listing Enabled | DIR | Web | Passive | CWE-548 | w-9 | 5.3 | Medium |
| Fingerprinting | FINGER | Web | Passive | - | w-1624 | 0 | Low |
| Verbose Error Messages (with Stack Trace) | ST | Web | Passive | CWE-209 | w-231 | 3.7 | Low |
| Vulnerable Library | VULNLIB | Web | Passive | - | w-1636 | 3.7 | Low |
| Server Error | SERVERERR | Web | Passive | CWE-209, CWE-544, CWE-550, CWE-703, CWE-756 | w-1611 | 8.1 | High |
| Missing Cache Control Header | MISSHEADERS.CACHE | Web | Passive | CWE-525 | w-1639 | 0 | Low |
| HttpOnly Cookie Attribute Not Set | COOKIES | Web | Passive | CWE-1004 | w-1 | 3.4 | Low |
| Missing X-Content-Type-Options Header | MISSHEADERS.XCONTENT | Web | Passive | CWE-693 | w-257 | 3.1 | Low |
| Sensitive Cookie with Improper SameSite Attribute | COOKIES | Web | Passive | CWE-1275 | w-419 | 3.1 | Low |
| Sensitive Form Over HTTP | FORMHTTP | Web | Passive | CWE-311, CWE-319 | w-1632 | 5.3 | Medium |
| Database Error Message Disclosure | SQLERR | Web | Passive | CWE-209 | w-98 | 3.1 | Low |
| Internal Path Disclosure | IP | Web | Passive | CWE-209, CWE-497 | w-50 | 3.7 | Low |
| HTTPS Not Enabled | HTTP | Web | Passive | CWE-319 | w-22 | 7.4 | High |
| Resource Server Accepts the None Algorithm for JWTs | JWTALG | Web | Passive | CWE-287, CWE-807 | w-319 | 9.1 | Critical |
| Insecure Content-Security-Policy Header | CSP | Web | Passive | CWE-693 | w-282 | 3.7 | Low |
| Missing Content-Security-Policy Header | MISSCSP | Web | Passive | CWE-693 | w-258 | 3.7 | Low |
| Using Deprecated HTTP Headers | DEPHEADERS | Web | Passive | CWE-477 | w-0 | 0 | Low |
| Internal IP Disclosure | II | Web | Passive | CWE-212 | w-110 | 3.7 | Low |
| Cross-Site Request Forgery (CSRF) | CSRF | Web | Passive | - | w-858 | 6.5 | Medium |
| Insecure Object Usage | INSOBJ | Web | Passive | CWE-477 | w-0 | 0 | Low |
| SSN Disclosure | SSN | Web | Passive | CWE-359 | w-1634 | 2.4 | Low |
| HTTP Strict Transport Security (HSTS) Not Implemented | MISSHEADERS.HSTS | Web | Passive | CWE-319 | w-102 | 3.7 | Low |
| F5 BIG-IP Cookie Information Disclosure | II | Web | Passive | CWE-212 | w-145 | 0 | Low |
| Secure Cookie Attribute Not Set | COOKIES | Web | Passive | CWE-614 | w-2 | 4.8 | Medium |
| Autocomplete HTML Attribute Not Disabled for Sensitive Fields | PASSAUTO | Web | Passive | CWE-525 | w-58 | 3.3 | Low |
| Password in HTTP Response | PASSDISC | Web | Passive | CWE-522 | w-74 | 3.1 | Low |
| Accept Header Validation | ACCEPTVAL | API | Active | CWE-20 | w-1604 | 5.3 | Medium |
| API Broken Object Level Authorization | AUTHBYPASS | API | Active | - | w-1616 | 7.5 | High |
| Content-Type Validation | CTVALIDATION | API | Active | - | w-1605 | 5.3 | Medium |
| Expired or Revoked Token is not Rejected | EXPR | API | Active | CWE-613 | w-365 | 6.8 | Medium |
| Improper Neutralization of Section Delimiters | BLNS | API | Active | - | w-671 | 5.3 | Medium |
| Classic Buffer Overflow | BUFFOF | API | Active | - | w-540 | 7.3 | High |
| Uncontrolled Resource Consumption | ERRAMP | API | Active | - | w-894 | 2.6 | Low |
| Mass Assignment | ASSIGN | API | Active | CWE-862, CWE-915 | w-362 | 4.3 | Medium |
| Non-Null Argument Enforcement (GQL) | NONNULLARG | API | Active | CWE-20 | w-0 | 0 | Low |
| HTTP Response Splitting | RESPSPLIT | API | Active | CWE-113 | w-7 | 5.3 | Medium |
| YAML Injection | YAMLI | API | Active | - | w-1637 | 9.8 | Critical |
| Inefficient Regular Expression Complexity | BLINDREDOS | API | Active | CWE-1333 | w-653 | 7.5 | High |
* Common Weakness Enumeration (CWE™) refers to a formal list of common types of software weaknesses, which may result in vulnerabilities. For more information, see the CWE List at https://cwe.mitre.org/data/index.html. CWE is a trademark of The MITRE Corporation.
** Severity is calculated based on the CVSS score.