Application Security Services

Dynamic Application Security Testing (DAST)

  • May 8, 2025
  • 0

Sherlocked Security – Dynamic Application Security Testing (DAST)

Simulate Real-World Attacks Against Your Running Web Applications

1. Statement of Work (SOW)

Service Name: Dynamic Application Security Testing (DAST)
Client Type: Enterprises, SaaS Providers, FinTechs, Public-Facing Portals
Service Model: Black-Box Application Security Testing – Manual + Automated
Compliance Coverage: OWASP Top 10, CWE/SANS Top 25, PCI-DSS, SOC 2, ISO 27001

Assessment Types:

  • Black-box Web App Vulnerability Testing
  • Authenticated and Unauthenticated Testing
  • Session & Access Control Validation
  • Business Logic Abuse Testing
  • API Endpoint Security Testing

2. Our Approach

[Application Discovery] → [Automated Recon & Crawling] → [Manual Validation] → [Authenticated Testing] → [Business Logic Testing] → [Risk Reporting] → [Remediation Support] → [Revalidation]

3. Methodology

[Initial Application Mapping] → [Crawler Setup & Baseline Scan] → [Authentication Handling] → [Exploit Simulation & Payload Injection] → [Session & ACL Testing] → [Custom Test Case Execution] → [False Positive Review] → [Report Delivery]

4. Deliverables to the Client

  1. Dynamic Application Security Testing Report
  2. Vulnerability Summary (OWASP/CWE mapped)
  3. Screenshots and Proof-of-Concepts (PoCs)
  4. Authentication & Session Handling Analysis
  5. Input Validation & Output Encoding Review
  6. Business Logic Testing Summary
  7. Remediation Recommendations with Examples
  8. Revalidation Report Post-Fix
  9. Optional: CI/CD Integration Guidelines

5. What We Need from You (Client Requirements)

  • Base URL(s) of application(s) under test
  • Test credentials for authenticated workflows (if applicable)
  • Information on role-based access levels
  • Whitelisting of scanning IPs or tools (if needed)
  • Prior knowledge of app architecture (optional)
  • NDA and scope sign-off prior to engagement

6. Tools & Technology Stack

  • Burp Suite Pro / OWASP ZAP
  • Postman / Insomnia (for manual API fuzzing)
  • Nikto / dirsearch / ffuf (content discovery)
  • Nuclei / custom active probes
  • Browser DevTools + Manual Inspection
  • Browser Automation (Selenium, Puppeteer)
  • MITM proxies and session hijack tools
  • Dynamic fuzzers and payload generators
  • In-house DAST extensions and test cases

7. Engagement Lifecycle

1. Kickoff & Scope Definition → 2. Application Access Setup → 3. Automated & Manual Testing Phase (2–4 weeks typical) → 4. Report Draft → 5. Remediation Advisory → 6. Revalidation Scan → 7. Final Report + Certificate

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Manual + Automated Techniques False positives removed, deeper logic tested manually
Real-World Exploitation Payloads simulate true adversarial behavior
Custom Authentication Handling Test beyond login pages, including MFA and SSO
Business Logic Coverage Tailored tests for process abuse and logic flaws
API Endpoint Validation REST, GraphQL, SOAP endpoints fuzzed and verified
OWASP-CWE Mapped Output Structured, compliance-aligned vulnerability reporting
Revalidation & Closure Fixes are retested and verified before sign-off

9. Real-World Case Studies

Healthcare SaaS: Broken Access Control & Session Issues

Issue: Insecure direct object references (IDOR) allowed record access across tenants.
Impact: PHI and sensitive patient data were accessible by unauthorized users.
Our Role: Identified access flaws via manual API testing, advised on role checks.
Outcome: Role-based authorization enforced, session validation patched across endpoints.

FinTech API: Unauthenticated Sensitive Function Access

Client: Digital Payments Platform
Findings: Funds transfer API accessible without proper token validation.
Outcome: Auth middleware patched, JWT validation centralized, custom test added to CI.

10. SOP – Standard Operating Procedure

  1. Scope Definition & Asset Discovery
  2. Application Mapping & Crawler Calibration
  3. Baseline Automated Vulnerability Scan
  4. Authentication Handling & Workflow Mapping
  5. Manual Business Logic Abuse Testing
  6. Fuzzing of Inputs, APIs, and Headers
  7. Session & Role Escalation Testing
  8. Reporting with Technical Findings + Risk Mapping
  9. Developer Walkthrough or Advisory (Optional)
  10. Revalidation Scan & Final Closure

11. DAST Testing Checklist

1. Reconnaissance & Application Mapping

  • Map all entry points: URLs, parameters, forms, headers, cookies, JSON/XML bodies
  • Identify HTTP methods accepted by endpoints (GET, POST, PUT, DELETE, PATCH)
  • Parse JavaScript files for hidden endpoints, API keys, internal references
  • Extract routes from Swagger/OpenAPI specs or inline JS configs
  • Identify linked domains, third-party scripts, and SSO integrations
  • Analyze robots.txt, sitemap.xml, and .env exposure (accidental disclosures)
  • Analyze SPA routing behaviors (React, Angular, Vue) for misrouted endpoints

2. Authentication & Session Management

  • Test login endpoints for brute-force protection, 2FA/MFA enforcement
  • Attempt bypass of authentication (e.g., forced browsing, missing checks)
  • Test session expiration (idle and absolute timeout enforcement)
  • Analyze JWT structure: weak algorithms (none/HS256 abuse), missing expiration
  • Test for insecure token storage (localStorage, sessionStorage)
  • Assess token revocation mechanisms on logout or password change
  • Evaluate cookie flags: Secure, HttpOnly, SameSite=strict/lax
  • Test for session fixation and predictable session IDs
  • Verify OAuth/OIDC flows for state parameter handling, token leakage

3. Input Validation & Server-Side Vulnerabilities

  • SQL Injection (error-based, time-based, blind, stacked queries)
  • OS Command Injection via file upload names, headers, parameters
  • Server-Side Request Forgery (SSRF) on file fetchers, PDF converters, image processors
  • XML External Entity (XXE) attacks via XML parsers in uploads or APIs
  • Server-Side Template Injection (SSTI) in templating engines (Jinja2, Twig, Velocity)
  • Path Traversal & Local File Inclusion (LFI) on downloaders, archive handlers
  • File Upload Attacks: MIME spoofing, bypass extensions, polyglot files, image+PHP
  • Insecure Deserialization (Java, .NET, PHP) in API payloads
  • Mass Assignment / Over-posting in object mappers (e.g., isAdmin=true injection)
  • Misconfigured web servers: .git/.svn/.env/.DS_Store exposure

4. Client-Side Security Testing

  • Reflected, stored, and DOM-based Cross-Site Scripting (XSS)
  • CSP (Content Security Policy) evaluation – missing or overly permissive
  • CORS misconfigurations (wildcard origins, credentials leakage)
  • Open Redirects using unvalidated next/url parameters
  • Clickjacking vulnerability if X-Frame-Options/CSP not enforced
  • Insecure JavaScript dependencies (enumerated from source, SRI hashes, or npm)
  • DOM clobbering or prototype pollution vectors
  • Sensitive data exposure in frontend JS (debug logs, hardcoded secrets, config leaks)
  • Browser autocomplete leakage on sensitive forms

5. Business Logic Abuse

  • Bypass of multi-step workflows (e.g., cart > payment > confirmation)
  • Re-use of tokens or links (e.g., email validation or password reset URLs)
  • Abuse of discounts, coupons, reward systems through parameter tampering
  • Forced browsing of unauthorized states or roles
  • Order tampering (modifying prices, quantities, shipping logic via requests)
  • Replay attacks (repeatable POST requests for transactional endpoints)
  • Testing concurrent transactions for race conditions
  • Circumventing balance checks in fintech or credit systems
  • Modifying app state or switching roles via hidden parameters

6. API & Backend Security Testing

  • Unauthenticated endpoints providing sensitive data
  • Missing access control on object/resource-level APIs (IDOR vulnerabilities)
  • GraphQL introspection abuse, schema leakage, unfiltered queries
  • Broken Function Level Authorization (accessing other roles’ methods)
  • Improper rate limiting or throttling (DoS or brute-force vectors)
  • Injection attacks via JSON/XML fields
  • Content-Type-based attacks (forcing backend to interpret as XML)
  • Fuzz APIs for verbose error messages, backend stack traces, or internal data leakage
  • Check for wildcard methods in REST APIs (verb confusion attacks)
  • Bypass authentication via manipulation of tokens or headers (e.g., X-Forwarded-For, X-Original-URL)

7. Security Headers & Response Configuration

  • Check for missing or misconfigured headers:
    • Content-Security-Policy
    • X-Content-Type-Options
    • X-Frame-Options
    • X-XSS-Protection
    • Referrer-Policy
    • Permissions-Policy
  • Validate correct HTTP caching on authenticated/sensitive resources
  • Identify exposed stack traces or debug messages in responses
  • Check for verbose HTTP headers: server, X-Powered-By, ASP.NET versions, etc.
  • Ensure no insecure redirects or mixed-content warnings

8. Cryptographic and Token Handling Flaws

  • Insecure password policies (e.g., low complexity, no lockout)
  • Weak token generation (predictable, short UUIDs, or timestamps)
  • Tokens or secrets exposed in URLs, referrers, or frontend code
  • JWTs with none algorithm or missing exp, iat, aud claims
  • Insecure use of cryptography (ECB mode, static keys, weak algorithms)
  • Failure to implement secure key rotation or token revocation mechanisms

9. Reporting & Remediation

  • Provide technical vulnerability report with full request/response PoCs
  • Categorize each finding using OWASP and CWE identifiers
  • Detail severity, impact, affected components, and remediation priority
  • Include recommendations with code examples or configuration hardening steps
  • Supply retest coverage delta between original and post-fix states
  • Assist with developer walkthroughs or patch validation calls
Browser Security & Extension Audits
Mobile App Hardening & Obfuscation