Skip to content

Tag: Tools

What do Security Folks think about DAST?

Note that this a collection of tweets about DAST (excluding any specific company pitch). In general, it seems like many companies are unable to utilize the potential of DAST yet because of limitations in most of DAST tools. This opens up opportunity for people to create new DAST tool to overcome current problems.

Summary

  • Many AppSec folks are struggling to get any real value out of commercial DAST tools. Many problems include tools being unable to record Authentication properly and test coverage issues.
  • OWASP ZAP and Burp Enterprise Scanner are popular tools used in DAST automation in DevSecOps pipeline.
  • Some AppSec folks are proxying their QA stage to ZAP or Burp in order to improve test coverage of DAST scan.
  • DAST biggest issue in modern apps is not exactly ‘testing’ or even ‘detecting’ vulns, but crawling the same website to identify to the attack surface.” ~ Jeremiah Grossman
  • OWASP Attack Surface Mapper tries to use SAST to pre-seed attack surface for DAST scan.

Interesting Tweets about DAST

https://sectooladdict.blogspot.com/

How to edit response in Burp Proxy?

In this post, I will show how you can edit the response in Burp Proxy. This is useful in cases where you want to demonstrate that you can inject JavaScript code in the response. I will use the domain “www.example.com” to illustrate.

1) First, intercept the GET request and then click on Action button. In the menu, select ‘Do intercept’ > ‘Response to this request’.

2) Click Forward to allow the GET request to be made. Then you will notice that you can now see the response from www.example.com

3) In the response, you can simply perform malicious actions such as tampering the HTML body or inserting JavaScript code into the response.

4) Finally, when you forward the edited response, the alert will appear and the body will show that it is tampered.