Professional Documents
Culture Documents
Sabrina Toubbeh
Dr. Moore
Dynamic Application Security Testing (DAST) is a powerful tool that can be used to analyze an
attack. Unlike SAST, DAST scans an application while it is running. Additionally, DAST is
effective in discovering external issues and vulnerabilities. DAST tools automatically simulate
malicious external attacks to identify critical vulnerabilities of an application. The goal of this
report is to demonstrate how a DAST tool can effectively identify vulnerabilities by risk and
categorize them into different types of issues. An analysis of the issues found helps find the root
causes and mitigation strategies. ZAP’s DAST tool and WebGoat’s intentionally vulnerable web
Analysis Report 5
References: 19
DAST
3
“WebGoat is a deliberately insecure application that allows interested developers just like you to
test vulnerabilities commonly found in Java-based applications that use common and popular
open source components” (OWASP). The purpose of using a Dynamic Application Security
Testing tool is to communicate with WebGoat while it is running in order to discover potential
vulnerabilities in the application. DAST is a type of black-box security testing which uses
techniques to attack an application from the outside. Based on OWASP’s Benchmark Project,
DAST is extremely useful due to the fact that it has a lower false positive rate than other
application security testing tools (Peterson, 2021). DAST can also identify configuration issues
Summarized Findings
Using the ZAP tool, a scan was performed on the WebGoat application. ZAP found potential
vulnerabilities in WebGoat based on known attacks. The table below shows the security issues
High 1
Medium 2
Low 3
DAST
4
Informational 5
Table 2: Alerts
The table below provides a list of mitigation solutions to improve security of the application. All
Issue Mitigation
Parameter Tampering Identify the cause of the error and fix it. Do
not trust client side input and enforce a tight
check on the server side. Besides, catch the
exception properly. Use a generic 500 error
page for internal server error.
Cookie No HttpOnly Flag Ensure that the HTTPOnly flag is set for all
cookies
Cookie Without SameSite Attribute Ensure that the SameSite attribute is set to
either 'lax' or ideally 'strict' for all cookies
Charset Mismatch Header Versus Meta Force UTF-8 for all text content in both the
Content-Type Charset HTTP header and meta tags in HTML or
encoding declarations in XML.
“Owasp WebGoat.” OWASP WebGoat - Learn the Hack - Stop the Attack,
https://owasp.org/www-project-webgoat/.
Peterson, J. (2021, April 30). Dynamic Application Security Testing: Dast Basics. WhiteSource.
https://www.whitesourcesoftware.com/resources/blog/dast-dynamic-application-security-testing/.
Vulnerable Javascript Library . Vulnerable javascript library. (2021, June 8). Retrieved October
https://www.zaproxy.org/docs/desktop/start/features/ascan/