Dastardly is a powerful web vulnerability DAST (Dynamic Application Security Testing) scanner developed to assist organizations in effectively safeguarding their web applications.
It is a free, lightweight web application security scanner for your CI/CD pipeline from the makers of Burp Suite.
Particularly, it is intended exclusively for security engineers and scans for seven security flaws that are frequently found in software development.
According to the release notes from PortSwigger, the release of Dastardly 2023.10 includes a variety of upgrades to Dastardly’s scanner. It also contains an upgrade to Dastardly’s Chromium browser.
What’s New in Dastardly 2023.10?
- Dastardly now checks iframe-generated queries.
- It scans over YAML API definitions.
- Dastardly is now scanning for floating input fields. This increases scan coverage for single-page apps.
- Examines all elements that can be clicked. Scan coverage should improve for single-page applications that employ non-traditional navigational elements.
- Accepts Brotli compressed HTTP messages.
- Dastardly has been tuned to spend less time waiting for a page to stabilize before scanning.
Dastardly’s environmental variables are changed:
- DASTARDLY_OUTPUT_FILE is now BURP_REPORT_FILE_PATH
- DASTARDLY_TARGET_URL is now BURP_START_URL
Bug fixes:
According to the release notes, an issue in which Dastardly might consolidate locations incorrectly under some instances has been fixed. As a result, the number of places detected may grow.
Browser Upgrade:
Dastardly’s built-in Chromium browser to 115.0.5790.110 for Windows and Linux and 115.0.5790.114 for Mac.
Scanning Via DAST Methodology
Dastardly scans your target web application using a DAST approach. Dynamic application security testing (DAST) examines a web application’s security from the outside.
DAST mandates that the security tester be unaware of the internal workings of an application. Because the tester cannot see inside the figurative “box,” this testing approach is referred to as the “black box.” Its purpose is to mimic an actual attack.
Hence, this indicates that it scans the deployed status of your target application. Give Dastardly the seed URL you want to scan when you conduct a scan.
The target web application being scanned by Dastardly starts at the seed URL. After this, Dastardly searches any URLs it discovers that are in the hierarchy below the seed URL.
DAST is comprehensive enough to encompass both automatic and manual methods. All that is necessary is that you don’t have any insider information about the systems you are evaluating.
Dastardly scans have a ten-minute maximum run time. This might not be sufficient time for scanning larger or more complex web applications.
Burp Suite Enterprise Edition scanning can be a better option if Dastardly cannot adequately scan your application due to its size or complexity.
Dastardly generates a JUnit XML report on its results. This part contains a list of all vulnerabilities discovered during the scan.
“To help keep your application secure, Dastardly fails your build if it detects any vulnerabilities with a severity level of LOW, MEDIUM, or HIGH. Vulnerabilities with a severity level of INFO don’t trigger a build failure”, the company explains.
PortSwigger offers assistance with any issues you may have when scanning apps with Dastardly.
Source: https://cybersecuritynews.com/dastardly-web-app-security-scanner/