// Perform dynamic security testing against running web applications and APIs to discover vulnerabilities through active probing and fuzzing.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | dynamic-application-security-testing |
| description | Perform dynamic security testing against running web applications and APIs to discover vulnerabilities through active probing and fuzzing. |
| license | MIT |
| metadata | {"author":"awesome-ai-agent-skills","version":"1.0.0"} |
This skill enables the agent to perform Dynamic Application Security Testing (DAST) against running web applications and APIs. Unlike static analysis, DAST interacts with the application at runtime — sending crafted HTTP requests, fuzzing input parameters, and analyzing responses to detect vulnerabilities such as SQL injection, cross-site scripting, server misconfigurations, broken authentication, and insecure API endpoints. The agent configures scan profiles, handles authenticated scanning, interprets results, and produces actionable remediation reports.
Define Target Scope and Scan Policy — Specify the target URL, application type (traditional web app, SPA, REST API, GraphQL), and scan boundaries. Define which paths and domains are in scope to prevent scanning unintended targets. Select a scan policy: passive-only for low-risk reconnaissance, active for full vulnerability probing, or API-specific for endpoint fuzzing.
Configure Authentication — For applications behind a login, configure the scanner with valid credentials or session tokens. Set up form-based authentication by specifying the login URL, username/password fields, and a logged-in indicator string. For API testing, configure Bearer tokens, API keys, or OAuth flows so the scanner can reach authenticated endpoints.
Execute the DAST Scan — Launch the scan using the selected tool (OWASP ZAP, Burp Suite, or Nuclei). The scanner first spiders the application to discover endpoints, then actively probes each endpoint with attack payloads. Monitor scan progress and resource consumption to avoid overwhelming the target environment.
Analyze and Classify Findings — Review scan results and classify each finding by vulnerability type, severity (using CVSS), confidence level, and affected URL. Filter out informational noise and false positives by verifying that the reported response actually demonstrates the vulnerability.
Generate Remediation Report — Produce a structured report containing each finding with the vulnerable URL, HTTP request/response evidence, severity rating, CWE identifier, OWASP category mapping, and specific remediation guidance. Export in HTML, JSON, or SARIF format for integration with issue trackers.
Schedule Recurring Scans — Configure the scan to run on a regular schedule (e.g., nightly against staging) or trigger it on deployment to a QA environment. Compare results across scan runs to track remediation progress and detect newly introduced vulnerabilities.
Provide the agent with the target URL, authentication credentials if needed, and the desired scan depth. The agent will configure the scanner, execute the test, and deliver a prioritized findings report.
Prompt example:
Run a DAST scan against our staging application at https://staging.example.com. Use OWASP ZAP with the login form at /login (username: testuser, password: Test@1234). Scan all API endpoints under /api/v2 and generate an HTML report.
ZAP Docker command with authentication:
docker run --rm -v $(pwd)/report:/zap/wrk owasp/zap2docker-stable zap-full-scan.py \
-t https://staging.example.com \
-r zap-report.html \
-J zap-report.json \
-c zap-config.conf \
--hook=zap-auth-hook.py \
-z "-config formhandler.fields.field(0).fieldId=username \
-config formhandler.fields.field(0).value=testuser \
-config formhandler.fields.field(1).fieldId=password \
-config formhandler.fields.field(1).value=Test@1234"
Findings Report (excerpt):
| # | Risk | Alert | URL | CWE | OWASP | Confidence |
|---|---|---|---|---|---|---|
| 1 | High | SQL Injection | POST /api/v2/search | CWE-89 | A03:2021 | High |
| 2 | High | Cross-Site Scripting (Reflected) | GET /search?q=<script> | CWE-79 | A03:2021 | High |
| 3 | Medium | Missing Anti-CSRF Tokens | POST /api/v2/profile/update | CWE-352 | A01:2021 | Medium |
| 4 | Medium | Cookie Without Secure Flag | Set-Cookie: session=... | CWE-614 | A05:2021 | High |
| 5 | Low | X-Content-Type-Options Header Missing | All responses | CWE-693 | A05:2021 | High |
| 6 | Low | Server Leaks Version Information | Server: Apache/2.4.49 | CWE-200 | A05:2021 | High |
Evidence for Finding #1 — SQL Injection:
Request:
POST /api/v2/search HTTP/1.1
Content-Type: application/json
{"query": "test' OR '1'='1' --"}
Response:
HTTP/1.1 200 OK
[returned all 4,892 records instead of matching records]
Remediation: Use parameterized queries or ORM methods. Validate and sanitize
all user input before including it in database queries.
Custom template (exposed-debug-endpoints.yaml):
id: exposed-debug-endpoints
info:
name: Exposed Debug/Admin Endpoints
author: security-team
severity: high
description: Detects debug and admin endpoints that should not be publicly accessible.
tags: misconfiguration,exposure
classification:
cwe-id: CWE-489
cvss-score: 7.5
http:
- method: GET
path:
- "{{BaseURL}}/debug"
- "{{BaseURL}}/actuator"
- "{{BaseURL}}/actuator/env"
- "{{BaseURL}}/graphql/playground"
- "{{BaseURL}}/_profiler"
- "{{BaseURL}}/elmah.axd"
- "{{BaseURL}}/phpinfo.php"
stop-at-first-match: false
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "debug"
- "actuator"
- "environment"
- "playground"
condition: or
Running the scan:
nuclei -u https://staging.example.com -t exposed-debug-endpoints.yaml -t cves/ -severity high,critical -json -o nuclei-results.json
Sample output:
[exposed-debug-endpoints] [http] [high] https://staging.example.com/actuator/env
[exposed-debug-endpoints] [http] [high] https://staging.example.com/graphql/playground
[CVE-2021-44228] [http] [critical] https://staging.example.com/api/v2/log