← [Раздел 06](README.md) · [Главная](../README.md)

# DAST и pentest (lite)

## Цель

Понять **DAST** (Dynamic Application Security Testing) и основы **penetration testing**: что проверяется на работающем приложении, когда запускать, и чем DAST отличается от ручного pentest.

## Предварительно

- [quality-gates-v-ci.md](quality-gates-v-ci.md).
- HTTP basics: GET/POST, cookies, status codes.
- Staging environment concept.

## Время

~30 минут чтения + просмотр sample DAST report (15 мин)

---

## Что такое DAST

**DAST** тестирует **running application** через сеть — как внешний атакующий (black-box) или с credentials (grey-box).

```
Scanner → HTTP requests → App responds → Analyze (XSS, SQLi probes, misconfig)
```

Не видит исходный код (в отличие от SAST).

## DAST vs SAST vs Pentest

| | SAST | DAST | Pentest |
|---|------|------|---------|
| Нужен код | Да | Нет | Иногда |
| Нужен running app | Нет | Да | Да |
| Speed | Fast | Medium | Slow (days/weeks) |
| Logic bugs | Weak | Medium | Strong |
| Automation | Full | Full | Human-led |
| Cost | Low | Medium | High |

**Layered:** SAST+SCA в PR → DAST на staging → pentest 1–2×/year для critical apps.

## Что DAST находит

| Класс | Пример probe |
|-------|--------------|
| XSS | `<script>alert(1)</script>` in params |
| SQLi | `' OR 1=1--` (error-based) |
| Security headers | Missing CSP, HSTS |
| Cookie flags | No HttpOnly / Secure |
| CSRF | State-changing GET without token |
| Default pages | `/server-status`, admin panels |
| TLS issues | Weak ciphers (если HTTPS scan) |

## Ограничения DAST

| Limitation | Причина |
|------------|---------|
| Low coverage API | Needs OpenAPI/crawl config |
| Auth-heavy apps | Login flow scripting |
| False positives | WAF blocks look like «fixed» |
| Destructive tests | Не на production без scope |
| Business logic | Не понимает «скидка 100%» |

**Никогда** не запускайте aggressive DAST на production без explicit scope.

## Популярные инструменты

| Tool | Type | Notes |
|------|------|-------|
| **OWASP ZAP** | Open source | Baseline + full scan |
| **Burp Suite** | Commercial + Community | Pentester favorite |
| **Nuclei** | Template-based | Fast known CVE checks |
| **StackHawk / Invicti** | CI-integrated DAST | SaaS |

ZAP baseline (концепт):

```bash
docker run -t owasp/zap2docker-stable zap-baseline.py \
  -t https://staging.example.com
```

## DAST в pipeline

```
Deploy staging → smoke tests → DAST baseline → report → gate (critical)
                     │
                     └── nightly full scan (long)
```

| Scan type | Duration | When |
|-----------|----------|------|
| Baseline | 5–15 min | Every deploy |
| Full | Hours | Weekly / pre-release |
| Authenticated | Custom | After login script ready |

## Настройка authenticated scan

1. Record login (ZAP context / Burp)
2. Define session token handling
3. Scope: only `staging.example.com`
4. Exclude logout / delete-account paths

Без auth DAST видит только public surface (~30% API).

## Pentest lite: когда нужен человек

| Trigger | Action |
|---------|--------|
| Fintech, health, large PII | Annual pentest minimum |
| Major release / new auth | Targeted pentest |
| Post-incident | Focused retest |
| Compliance (PCI-DSS) | Mandated frequency |

**Pentest** = skilled human + methodology (OWASP WSTG, PTES) + report с reproduction steps.

## Pentest scope document (минимум)

| Section | Content |
|---------|---------|
| In-scope URLs | `https://staging.example.com/api/*` |
| Out-of-scope | Production, third-party SaaS |
| Test window | 2026-06-10 – 2026-06-14 |
| Accounts provided | `test_user` / `YOUR_TEST_PASSWORD` |
| Rules | No DoS, no social engineering |
| Emergency contact | on-call@example.com |

## Обработка findings

| Source | Workflow |
|--------|----------|
| DAST critical | Same as SAST — block release |
| Pentest high | Fix + retest certificate |
| Medium | Risk accept or schedule |

Mapping к Jira: severity, CWE, asset, owner.

## DAST + WAF

WAF может **блокировать** scanner → ложное «всё чисто».

| Approach | Purpose |
|----------|---------|
| Scan from allowlisted IP | See app behind WAF |
| Scan WAF bypass staging | Test app logic |
| Separate «no WAF» env | Pre-prod only |

Document which layer finding belongs to.

## Checklist перед первым DAST

- [ ] Target = staging, not prod
- [ ] Backup / reset staging DB if destructive
- [ ] Notify team (spike in logs)
- [ ] OpenAPI spec uploaded to scanner
- [ ] Rate limits adjusted or scanner IP excluded
- [ ] Findings routing to security channel

---

## Самопроверка

1. Почему DAST не заменяет code review для IDOR?
2. Чем baseline scan отличается от full?
3. Зачем scope document для pentest?
4. Почему DAST на production опасен?

## Дальше

Раздел 06 завершён. Переходите к [разделу 07 — Инфраструктура](../07-infrastruktura/README.md).