Getting Started with DAST/Active Scanning
Published on: 2019-10-15
If you're just getting started with DAST/Active scanning, there are a few things you ought to do before you point the scanner at your website and push "Go".
Ensure your website is accessible to the scanner
In order to scan your website, scanners need access to your website. If your scanner is hosted in the cloud, then you either need to make sure your website is publicly accessible or you need to create an exception in your firewall for the IP address(es) of the scanner. In this case, it is a good idea to access your site from your phone to make sure that it is truly accessible from the internet. If you install the scanner on the same network as your website, you should still double-check that DNS is set up properly, no firewalls are blocking your website, etc.
Use a test version of your website (and have a backup of your database)
Automated web scanners are generally safe in that they don't try to install viruses or steal data, but they do typically generate a lot of traffic and garbage data. (For more information, please read my blog post about how DAST scanners work.) Therefore, I recommend running the scans against a test version of your website, then restoring that backup once you're done scanning.
It is worth highlighting that if you do create a test version of your website as I recommend that you add some test data to the system. As mentioned before, scanners will try to click every link, submit every form, etc. If you don't have data in place, your scanner might not find the details pages for these items, which will lead to lower coverage and inferior results.
Turn off multi-factor authentication
If there is one, and only one, thing that you could do to secure your website, you would probably think hard about making that change turning on multi-factor authentication. As has been known for more than a decade, passwords just aren't that secure. Unfortunately, multi-factor authentication is also extremely effective in keeping out fully-automated scanners. So please use multi-factor authentication for all users except the one you use for scanning.
Turn off any Web Application Firewalls
I highly recommend using Web Application Firewalls in general, but they can limit the effectiveness of scans if left on during a web scan. Therefore, it is best if you turn these off during the scan.
Turn off notifications
As mentioned earlier, in order to find vulnerabilities in your system, web scanners send thousands of requests to your system. If you get notifications when errors occur, a form is submitted, etc., you will likely get thousands of notifications during the course of a web scan. I highly recommend that you turn these off while the web scanner is running.
Tell the scanner to ignore sensitive pages
Also be sure to tell the scanner to ignore sensitive pages within your app, such as admin pages that delete users or pages that reset passwords. I personally have run into issues where my scanner has changed the password of the user I was using, forcing me to reset that password before running another scan. I could also imagine a scanner going in and finding a "delete all users" command (or something similar) and wreaking havoc. While these types of things can be an amusing subject for a story or blog post, I generally recommend avoiding them.
Finally, do be sure to check the results before accepting the findings. Missed portions of the app and bad authentication are common. You don't want to assume that your site is safe because you didn't get many findings in a bad scan!
Good luck!