Run dynamic application security testing (DAST) on Polaris

With Polaris fAST Dynamic, you can perform rapid, self-service DAST scans of web applications and APIs. Issues found in DAST scans can be viewed alongside SAST and SCA issues, and triaged according to their severity.

About DAST

fAST Dynamic brings dynamic application security testing (DAST) capabilities to the Polaris platform. DAST is a method of AppSec testing that examines an application in running state, without knowledge of its internal interactions or designs at the system level, and without access or visibility into the source program. This "black box" testing observes an application from the outside in, examines its running state, and observes its responses to simulated attacks made by a testing tool. The application's responses to these simulations help determine whether it's vulnerable and might be susceptible to a real malicious attack.
Note: fAST Dynamic is intended for scanning pre-production web applications and APIs only.

Prerequisites

Before you begin, make sure that:

  • Your organization has a subscription with a DAST entitlement.
  • Your subscription has at least one available DAST project.
  • An Organization Admin or Organization Application Manager has either:
  • Polaris has network access to the web application or API you wish to scan. To run DAST tests, Polaris communicates with your web-accessible applications or APIs using IPs that vary between Polaris instances.
    Table 1. fAST Dynamic (DAST) IPs
    Polaris instance IPs (outbound)
    America, production
    • 192.231.134.0/24
    America, POC
    European Union, production
    • 162.244.5.0/24
  • If you want to scan internal web applications or APIs which are inside a private network, you have installed the Black Duck Bridge CLI (version 3.1.0 or higher).
  • You have permissions to create and manage projects.
    Note: See Roles and permissions for more information.

About active attacks

fAST Dynamic includes functionality to perform active attacks on your pre-production web applications and APIs.

If you select the Perform Active Attacks checkbox when creating a DAST project, fAST Dynamic will simulate real-world attacks by sending various inputs and then observing the application's or API's behavior.

Warning: Be aware that these attacks can degrade the application and expose sensitive data.

Create a DAST project

You can create DAST projects for two types of targets:
  • Web applications
  • APIs

A target is identified by its Entry Point URL and can be Internet-accessible or internal (inside a private network). A separate DAST profile is needed for each target you want to scan with fAST Dynamic. A single DAST project can be used for testing a web application or an API target, but not both.

Create a DAST project for a web application target

To create a DAST project for a web application target, follow these steps:
  1. Select Portfolio on the left sidebar.
  2. Select an application with a DAST subscription.
  3. On the Projects tab, select + Create > New Project(s).
  4. Under Project Type, select DAST.
  5. Enter a project name (maximum length: 255 characters).
    Each project name must be unique within the organization.
  6. Enter the Entry Point URL of the web application you want to test dynamically (maximum length: 255 characters).
    When you run a DAST test on this project, fAST Dynamic will begin scanning from the URL you specify. You must have explicit permission to test the specified web application.

    The Entry Point URL must be:

    • The address of an Internet-accessible, pre-production web application that you have explicit permission to test. If the web application is internal, see step 7.
    • A fully-qualified domain name (FQDN), like https://example.com/.
  7. If you want to test an internal web application, select the Entry Point URL is in a private network checkbox. You will need to use the Polaris Secure Tunnel feature of the Black Duck Bridge CLI to connect; see Test an internal web application or API with Polaris Secure Tunnel.


  8. Under Target Type, select Web Application.
  9. Enter a Profile Name for the DAST profile that will be created for this project. This must be unique within the organization.
  10. Unless you want to define advanced scan settings, leave Manually set up profile selected to use the default scan settings.
    Tip: The default DAST profile options are suitable for most use cases. If necessary, you can fine-tune your profile's settings later on. See Fine-tune a DAST profile for more information.
  11. (Optional) In the Allowed Hosts field, enter a comma-separated list of hosts—sub-domains of the Entry Point URL—to include in DAST scans. For example: 
    https://example.com/login,https://example.com/about
  12. Select a site authentication method from the Authentication dropdown. If the web application does not require authentication, or you only want fAST Dynamic to scan non-authenticated content, leave this option as None.
    Authentication Description
    Forms Forms authentication.

    Login URL (required): The URL of the web application's login page, e.g., https://example.com/sign-in

    Form Values (optional): Provide a set of site credentials using the Field Name and Value rows; for example, a username and password.
    SAML Single Sign-On (SSO) authentication through a SAML Identity Provider (IdP).

    SSO Login URL (required): The URL of your organization's SSO login page.

    Form Values (optional): Username and password to authenticate to your IdP.

    HTTP Header Values (optional): HTTP request headers as required by your SAML IDP. Enter one or more headers as name/value pairs using the Header Name and Value fields.
    Selenium Authenticate using a Selenium script (.side file), generated by using the Selenium IDE Chrome plug-in.

    Upload .side file (required): Drag and drop a .side file to the file upload box, or browse for it on your computer.
  13. (Optional) Select Perform Active Attacks to enable more intrusive testing of the target.
    Warning: If Perform Active Attacks is selected, fAST Dynamic will simulate real-world attacks by sending various inputs and then observing the application's behavior. These attacks can degrade the application, and expose sensitive data. Remember that fAST Dynamic is not designed or intended for scanning public (production) APIs, applications, and websites.
  14. (Optional) For Internet-accessible web applications only, select Test Connection to run a pre-flight connection test. You can also do this from the Tests page after creating the project and profile. This test can take a few minutes to complete and ensures that:
  • The Entry Point URL is valid.
  • Polaris can connect to the web application and authenticate, if applicable.

    A message is displayed if the connection test was successful:



  1. Click Save.
Polaris creates a DAST profile to use with this project and web application target. If the target is Internet-accessible, you can now run a DAST test against the project. If the target is internal, you first need to establish a secure tunnel between Polaris and your private network by using the Bridge CLI—see Test an internal web application or API with Polaris Secure Tunnel.

Create a DAST project for an API target

To create a DAST project for an API target, follow these steps:
  1. Select Portfolio on the left sidebar.
  2. Select an application with a DAST subscription.
  3. On the Projects tab, select + Create > New Project(s).
  4. Under Project Type, select DAST.
  5. Enter a project name (maximum length: 255 characters).
    Each project name must be unique within the organization.
  6. In the Entry Point URL field, enter the address of the API you want to test dynamically (maximum length: 255 characters).
    • Specify the base URL of an Internet-accessible, pre-production API that you have explicit permission to test. For example: https://api.altoroj.tinfoilsecurity.com/v2
    • The scanner can only reach endpoints that are accessible from the base URL.
    • Remember to specify the API version in the URL path, if the API is versioned.
    • If the API is internal, see step 7.
  7. If you want to test an internal API, select the Entry Point URL is in a private network checkbox. You will need to use the Polaris Secure Tunnel feature of the Black Duck Bridge CLI to connect; see Test an internal web application or API with Polaris Secure Tunnel.


  8. Under Target Type, select API.
  9. Enter a Profile Name for the DAST profile that will be created for this project. This must be unique within the organization.
  10. Unless you want to define advanced scan settings, leave Manually set up profile selected to use the default scan settings.
    Tip: The default DAST profile options are suitable for most use cases. If necessary, you can fine-tune your profile's settings later on. See Fine-tune a DAST profile for more information.
  11. (Optional) In the Allowed Hosts box, enter a comma-separated list of hosts—sub-domains of the Entry Point URL—to include in DAST scans. For example: 
    https://api.altoroj.tinfoilsecurity.com/v2/auth
  12. Select the format of your API specification file from the API Specification Type dropdown. The supported file formats are as follows:
    • OpenAPI / Swagger Specification (.yml, . yaml, .json) (default)
    • Postman Collection (.json)
    • HTTP Archive file (.har)
    • GraphQL SDL (.sdl)
  13. Provide a supported API specification file for the API you specified in step 6.
    Method Steps
    Upload an API specification file manually
    1. Select Upload API Specification File.
    2. Drag and drop a file of the chosen type to the Upload API Spec box. You can also upload a local file.
    Link to an API specification file hosted on the Internet
    Note: This option is supported for OpenAPI / Swagger Specification files only.
    1. Select API Specification File URL.
    2. Enter the URL where the API specification file is hosted, for example: https://api.altoroj.tinfoilsecurity.com/v2/swagger.json
  14. (Optional) Select Perform Active Attacks to enable more intrusive testing of the API.
    Warning: If Perform Active Attacks is selected, fAST Dynamic will simulate real-world attacks by sending various inputs and then observing the API's behavior. These attacks can degrade the application, and expose sensitive data. Remember that fAST Dynamic is not designed or intended for scanning public (production) APIs, applications, and websites.
  15. Select the Authentication method for the API. The following are the authentication methods Polaris supports:
    Authentication Description
    None (default) No authentication. Clients can query the API without providing credentials or an API key.
    Headers Authorization headers. To query the API, clients must provide credentials or an API key stored in one or more HTTP authorization headers.
  16. If you selected Headers, the Header Values table is displayed. Provide the required headers as key-value pairs in the Header Name and Value columns. You can provide any type of header, though these options are intended for authorization headers. For example:

    An example authorization header in the Header Values table.
  17. (Optional) For Internet-accessible APIs only, select Test Connection to run a pre-flight connection test. You can also do this from the Tests page after creating the project and profile. This test can take a few minutes to complete and ensures that:
    • The Entry Point URL is valid.
    • Polaris can connect to the API and authenticate, if applicable.

    A message is displayed if the connection test was successful:


    Connection successful message next to the Test Connection button.
  18. Click Save.
Polaris creates a DAST profile to use with this project and API target. If the target is Internet-accessible, you can now run a DAST test against the project. If the target is internal, you first need to establish a secure tunnel between Polaris and your private network by using the Bridge CLI—see Test an internal web application or API with Polaris Secure Tunnel.

Test an internal web application or API with Polaris Secure Tunnel

Dynamic testing of an internal web application or API (an internal target) requires a secure connection between Polaris and your private network. With the Polaris Secure Tunnel feature of the Black Duck Bridge CLI, you can establish a secure TLS connection directly to the target in your internal environment, without the need to open any ports or allowlist our IP ranges.

Polaris Secure Tunnel uses the Teleport Access Platform for internal app connectivity. Teleport functionality is integrated with the Bridge CLI and requires no account setup or installation.

Note: Polaris Secure Tunnel is supported in Bridge CLI version 3.1.0 and higher.

It's straightforward to connect to an internal target using Polaris Secure Tunnel:

  1. Sign in to the Polaris user interface.
  2. First, create a DAST project for a web application or API, making sure to select the Entry Point URL is in a private network option on the new project page. This creates an internal target with the Teleport configuration required for connectivity via Polaris Secure Tunnel.
  3. Create an access token in Polaris.
  4. Download the Bridge CLI.
  5. To connect to the internal target you created, follow the steps in Connect to an internal DAST target from the Bridge CLI in the Bridge CLI documentation.
  6. Teleport establishes a secure tunnel on port 443 between Polaris and your private network.
    Important: Leave the Polaris Secure Tunnel session running in your terminal until your testing is complete.
  7. (Optional) Go to Profiles > Edit Profile and then run a connection test on the internal target.
  8. Run a DAST test on the internal target in the usual way, either from the Polaris user interface or via the API.
  9. When the test is complete, stop the Polaris Secure Tunnel session in your terminal, or leave the connection open for further DAST tests on the same target.
  10. You can view DAST issues found on internal web applications and APIs in the Polaris user interface.
    Note: Only one secure tunnel will be used for a Polaris project at a time. While you leave a Polaris Secure Tunnel session open, other tests for the configured Polaris project will be routed through that same secure tunnel.

Test a DAST project

Follow these steps to run a DAST test from the Polaris user interface:

  1. There's more than one way to start this procedure:
    • Go to Portfolio, select an application, click the icon at the end of the project's row, and select New Test.
    • Go to Tests and select New Test.
  2. Select the DAST profile to scan with the Application and Project dropdown menus.


    Note: Depending on how you start a test, the Application, Project, and Profile values may already be filled in.
  3. (Optional) Select Test Connection.
    This test can take a few minutes to complete and ensures:
    • The Entry Point URL is valid.
    • Polaris can connect to the web application.
    • Polaris can authenticate with the web application.
  4. Select Begin Test.
Monitor test progress on the Tests page (accessible from the left-hand navbar). Newer tests appear near the top of the page. Filter tests by date, type, mode, status, and the application, project, or branch/profile tested.

Work with DAST issues

Issues captured in DAST tests are managed like SAST and SCA issues. You can:

Find DAST remediation guidance

After you test a DAST project, you can find remediation guidance (along with evidence) for issues captured in DAST tests in the Issue Details panel. To open the Issue Details panel, follow these steps:
  1. Go to Portfolio, open an application, open a DAST project, and open the Issues tab.
    Tip: Remember, DAST issues are only available in DAST projects.
  2. Select an Issue Type.
    The Issue Details panel opens.
  3. Select the Evidence tab to view the following DAST-specific evidence:
    • Location: The API endpoint for which the issue was detected
    • Payload
    • Target
    • Request body
    • Response body