Run dynamic application security testing (DAST) on Polaris

With Polaris fAST Dynamic, you can perform rapid, self-service DAST scans of web applications and APIs. Issues found in DAST scans can be viewed alongside SAST and SCA issues, and triaged according to their severity.

About DAST

fAST Dynamic brings dynamic application security testing (DAST) capabilities to the Polaris platform. DAST is a method of AppSec testing that examines an application in running state, without knowledge of its internal interactions or designs at the system level, and without access or visibility into the source program. This "black box" testing observes an application from the outside in, examines its running state, and observes its responses to simulated attacks made by a testing tool. The application's responses to these simulations help determine whether it's vulnerable and might be susceptible to a real malicious attack.

Note: fAST Dynamic is intended for scanning pre-production web applications and APIs only. Running DAST scans on internal websites and APIs is not yet supported.

Prerequisites

Before you begin, make sure that:

  • Your organization has a subscription with a DAST entitlement.
  • Your subscription has at least one available DAST project.
  • An Organization Admin or Organization Application Manager has either:
  • Polaris has network access to the application or API you wish to scan. To run DAST tests, Polaris communicates with your web-accessible applications or APIs using IPs that vary between Polaris instances.
    Table 1. fAST Dynamic (DAST) IPs
    Polaris instance IPs (outbound)
    America, production
    • 192.231.134.0/24
    America, POC
    European Union, production
    • 162.244.5.0/24
  • You have permissions to create and manage projects.
    Note: See Roles and permissions for more information.

About active attacks

fAST Dynamic includes functionality to perform active attacks on web application and API targets.

If you select the Perform Active Attacks checkbox when creating a DAST project, fAST Dynamic will simulate real-world attacks by sending various inputs and then observing the application's or API's behavior.

Warning: Be aware that these attacks can degrade the application and expose sensitive data.

Create a DAST project

You can create DAST projects for two types of targets:
  • Web Applications
  • APIs

A target is identified by its Entry Point URL. A separate DAST profile is needed for each target you want to scan. A single target can be used for testing a web application or an API, but not both.

Create a DAST project for a web application target

To create a DAST project for a web application target, follow these steps:
  1. Go to Portfolio on the left sidebar.
  2. Select an application with a DAST subscription.
  3. Select + Create > New Project(s).
  4. Under Project Type, select DAST.
  5. Enter a project name (maximum length: 255 characters).
    Each project name must be unique within the organization.
  6. Enter the Entry Point URL of the web application you want to run a DAST test for (maximum length: 255 characters).
    The Entry Point URL is the URL of the web application you want fAST Dynamic to scan. When you run a DAST test on this project, fAST Dynamic begins scanning from the URL you specify.

    The Entry Point URL must be:

    • The address of an Internet-accessible, pre-production website or web application that you have explicit permission to test.
    • A fully-qualified domain name (FQDN), like https://example.com/.
    Note: Running DAST scans on internal (non Internet-accessible) websites is not yet supported.
  7. Under Target Type, select Web Application.
  8. Enter a Profile Name for the DAST profile that will be created for this project. This must be unique within the organization.
  9. Unless you want to define advanced scan settings, you can leave the Manually set up profile option selected.
    Tip: The default DAST profile options are suitable for most use cases. If necessary, you can fine-tune your profile's settings later on. See Fine-tune a DAST profile for more information.
  10. (Optional) In the Allowed Hosts field, enter a comma-separated list of hosts—sub-domains of the Entry Point URL—to include in DAST scans. For example: 
    https://example.com/login,https://example.com/about
  11. Select a site authentication method from the Authentication dropdown. If the web application does not require authentication, or you only want fAST Dynamic to scan non-authenticated content, leave this option as None.
    Authentication Description
    Forms Forms authentication.

    Login URL (required): The URL of the web application's login page, e.g., https://example.com/sign-in

    Form Values (optional): Provide a set of site credentials using the Field Name and Value rows; for example, a username and password.
    SAML Single Sign-On (SSO) authentication through a SAML Identity Provider (IdP).

    SSO Login URL (required): The URL of your organization's SSO login page.

    Form Values (optional): Username and password to authenticate to your IdP.

    HTTP Header Values (optional): HTTP request headers as required by your SAML IDP. Enter one or more headers as name/value pairs using the Header Name and Value fields.
    Selenium Authenticate using a Selenium script (.side file), generated by using the Selenium IDE Chrome plug-in.

    Upload .side file (required): Drag and drop a .side file to the file upload box, or browse for it on your computer.
  12. (Optional) Select Perform Active Attacks to enable more intrusive testing of the site.
    Warning: If Perform Active Attacks is selected, fAST Dynamic will simulate real-world attacks by sending various inputs and then observing the application's behavior. These attacks can degrade the application, and expose sensitive data. Remember that fAST Dynamic is not designed or intended for scanning public (production) APIs, applications, and websites.
  13. Click Save.
Polaris creates a DAST profile to use with this project and web application target. You can now run a DAST test against the project.

Create a DAST project for an API target

To create a DAST project for an API target, perform these steps:
  1. Go to Portfolio on the left sidebar.
  2. Select an application with a DAST subscription.
  3. Select + Create > New Project(s).
  4. Under Project Type, select DAST.
  5. Enter a project name (maximum length: 255 characters).
    Each project name must be unique within the organization.
  6. In the Entry Point URL field, enter the base URL of the API you want to run a DAST test for.
    This must be the URL of an Internet-accessible, pre-production API that you have explicit permission to test. For example: 
    https://api.altoroj.tinfoilsecurity.com/v2

    The scanner can only reach endpoints that are accessible from the base URL. Remember to specify the API version in the URL path, if applicable.

    Note: Running DAST scans on internal (non Internet-accessible) APIs is not yet supported.
  7. Under Target Type, select API.
  8. Enter a Profile Name for the DAST profile that will be created for this project. This must be unique within the organization.
  9. Unless you want to define advanced scan settings, you can leave the Manually set up profile option selected.
    Tip: The default DAST profile options are suitable for most use cases. If necessary, you can fine-tune your profile's settings later on. See Fine-tune a DAST profile for more information.
  10. (Optional) In the Allowed Hosts box, enter a comma-separated list of hosts—sub-domains of the Entry Point URL—to include in DAST scans. For example: 
    https://api.altoroj.tinfoilsecurity.com/v2/auth
  11. Select the format of your API specification file from the API Specification Type dropdown. The supported file formats are as follows:
    • OpenAPI / Swagger Specification (.yml, . yaml, .json) (default)
    • Postman Collection (.json)
    • HTTP Archive file (.har)
    • GraphQL SDL (.sdl)
  12. Provide a supported API specification file.
    Method Steps
    Upload an API specification file manually
    1. Select Upload API Specification File.
    2. Drag and drop a file of the chosen type to the Upload API Spec box. You can also browse for it on your computer.
    Link to an API specification file hosted on the Internet
    Note: This option is supported for OpenAPI / Swagger Specification files only.
    1. Select API Specification File URL.
    2. Enter the URL where the API specification file is hosted, for example: https://api.altoroj.tinfoilsecurity.com/v2/swagger.json
  13. (Optional) Select Perform Active Attacks to enable more intrusive testing of the API.
    Warning: If Perform Active Attacks is selected, fAST Dynamic will simulate real-world attacks by sending various inputs and then observing the API's behavior. These attacks can degrade the application, and expose sensitive data. Remember that fAST Dynamic is not designed or intended for scanning public (production) APIs, applications, and websites.
  14. Select the Authentication method for the API. The following are the authentication methods Polaris supports:
    Authentication Description
    None (default) No authentication. Clients can query the API without providing credentials or an API key.
    Headers Authorization headers. To query the API, clients must provide credentials or an API key stored in one or more HTTP authorization headers.
  15. If you selected Headers, the Header Values table is displayed. Provide the required headers as key-value pairs in the Header Name and Value rows. For example:

    An example authorization header in the Header Values table.

    You can provide any type of HTTP header, though the options are intended for authorization headers.

  16. (Optional) Select Test Connection . You can also run this test from the Tests page after creating the project and profile.
    This test can take a few minutes to complete and ensures:
    • The Entry Point URL is valid.
    • Polaris can connect to the API.
    • Polaris can authenticate with the API, if applicable.

    A success message is displayed if the connection test was successful:


    Connection successful message next to the Test Connection button.
  17. Click Save.
Polaris creates a DAST profile to use with this project and API target. You can now run a DAST test against the project.

Test a DAST project

Follow these steps to run a DAST test from the Polaris user interface:

  1. There's more than one way to start this procedure:
    • Go to Portfolio, select an application, click the icon at the end of the project's row, and select New Test.
    • Go to Tests and select New Test.
  2. Select the DAST profile to scan with the Application and Project dropdown menus.


    Note: Depending on how you start a test, the Application, Project, and Profile values may already be filled in.
  3. (Optional) Select Test Connection.
    This test can take a few minutes to complete and ensures:
    • The Entry Point URL is valid.
    • Polaris can connect to the web application.
    • Polaris can authenticate with the web application.
  4. Select Begin Test.
Monitor test progress on the Tests page (accessible from the left-hand navbar). Newer tests appear near the top of the page. Filter tests by date, type, status, and the application, project, or branch/profile tested.

Work with DAST issues

Issues captured in DAST tests are managed like SAST and SCA issues. You can:

Find DAST remediation guidance

After you test a DAST project, you can find remediation guidance (along with evidence) for issues captured in DAST tests in the Issue Details panel. To open the Issue Details panel, follow these steps:
  1. Go to Portfolio, open an application, open a DAST project, and open the Issues tab.
    Tip: Remember, DAST issues are only available in DAST projects.
  2. Select an Issue Type.
    The Issue Details panel opens.
  3. Select the Evidence tab to view the following DAST-specific evidence:
    • Location: The API endpoint for which the issue was detected
    • Payload
    • Target
    • Request body
    • Response body