Dynamic Application Security Testing (DAST) is a black-box security testing methodology in which an application is tested from the outside. A tester using DAST examines an application when it is running in the production environment and tries to hack it just like an attacker will. DAST scanners are technology-independent because they interact with an application from the outside and rely on HTTP. It makes them work with any programming languages and frameworks, both off-the-shelf and the custom-built ones.
DAST scanners first crawl a web application before scanning it. This lets the scanner find all exposed inputs on the pages within the web application, which are then subsequently tested for a range of vulnerabilities. A DAST test can look for a broad range of vulnerabilities, including input/output validation issues that could leave an application vulnerable to cross-site scripting or SQL injection. A DAST test can also help spot configuration mistakes and errors and identify other specific problems with applications. Most DAST solutions test only the exposed HTTP and HTML interfaces of web-enabled applications; however, some solutions are designed specifically for non-web protocol and data malformation, for example, remote procedure call, session initiation protocol, etc.