动态应用程序安全测试 (DAST) 是一种黑盒安全测试方法，其中从外部测试应用程序。使用 DAST 的测试人员会在应用程序在生产环境中运行时对其进行检查，并尝试像攻击者一样对其进行破解。DAST 扫描器与技术无关，因为它们从外部与应用程序交互并依赖于 HTTP。它使它们可以与任何编程语言和框架一起使用，包括现成的和定制的。

DAST 扫描程序在扫描 Web 应用程序之前首先对其进行爬网。这让扫描器可以找到 Web 应用程序中页面上所有暴露的输入，然后对这些输入进行一系列漏洞测试。DAST 测试可以查找范围广泛的漏洞，包括可能使应用程序容易受到跨站点脚本或 SQL 注入攻击的输入/输出验证问题。DAST 测试还可以帮助发现配置错误和错误，并识别应用程序的其他特定问题。大多数 DAST 解决方案仅测试支持 Web 的应用程序公开的 HTTP 和 HTML 接口；但是，有些解决方案是专门针对非Web协议和数据畸形设计的，例如远程过程调用、会话发起协议等。

Dynamic Application Security Testing

Dynamic Application Security Testing (DAST) is a black-box security testing methodology in which an application is tested from the outside. A tester using DAST examines an application when it is running in the production environment and tries to hack it just like an attacker will. DAST scanners are technology-independent because they interact with an application from the outside and rely on HTTP. It makes them work with any programming languages and frameworks, both off-the-shelf and the custom-built ones.

DAST scanners first crawl a web application before scanning it. This lets the scanner find all exposed inputs on the pages within the web application, which are then subsequently tested for a range of vulnerabilities. A DAST test can look for a broad range of vulnerabilities, including input/output validation issues that could leave an application vulnerable to cross-site scripting or SQL injection. A DAST test can also help spot configuration mistakes and errors and identify other specific problems with applications. Most DAST solutions test only the exposed HTTP and HTML interfaces of web-enabled applications; however, some solutions are designed specifically for non-web protocol and data malformation, for example, remote procedure call, session initiation protocol, etc.