Skip to content


OWASP Attack Surface Detector (ASD) – Demo

In this post, we will see how Attack Surface Detector (ASD) can be used to expand the attack surfaces of a web application. This is useful in improving test coverage of many Dynamic Application Security Testing (DAST) tools. As I have pointed out in this post, many DAST tools are not able to identify some attack surfaces during the spidering / crawling stage.

I will not go through how to install ASD.

First, clone this project and then run it. You will need to use Java 8. If you are using Java 11, then set JAVA_HOME and PATH to Java 8 (JDK).

Please follow this video first on how to install ASD extension in Burp Suite.

In the screenshot below, we can see that Target > Site map is showing the highlighted endpoints are generated from ASD. Select the highlighted endpoints and run an active scan.

We can see that Cross-site Scripting are detected in the imported assets from the source code.

To verify, we can load one of the attack payload to see the result.

Why ASD is useful?

There are times where the web application is so huge and no one have an accurate inventory of the endpoints. This means that there might be untested endpoints during DAST / Manual Testing. ASD helps to ensure at least the endpoints that are derived from the source code will be added to the testing.

What do Security Folks think about DAST?

Note that this a collection of tweets about DAST (excluding any specific company pitch). In general, it seems like many companies are unable to utilize the potential of DAST yet because of limitations in most of DAST tools. This opens up opportunity for people to create new DAST tool to overcome current problems.


  • Many AppSec folks are struggling to get any real value out of commercial DAST tools. Many problems include tools being unable to record Authentication properly and test coverage issues.
  • OWASP ZAP and Burp Enterprise Scanner are popular tools used in DAST automation in DevSecOps pipeline.
  • Some AppSec folks are proxying their QA stage to ZAP or Burp in order to improve test coverage of DAST scan.
  • DAST biggest issue in modern apps is not exactly ‘testing’ or even ‘detecting’ vulns, but crawling the same website to identify to the attack surface.” ~ Jeremiah Grossman
  • OWASP Attack Surface Mapper tries to use SAST to pre-seed attack surface for DAST scan.

Interesting Tweets about DAST