External DAST
Coverage, analyzers, and how WASViking calibrates payloads to the environment.
The external DAST core covers a typical web application surface end to end. Every analyzer reads a per-host Environment Profile so payloads adapt to the detected stack rather than firing a static catalog.
Analyzer catalog
| Coverage | What it covers | Primary CWEs |
|---|---|---|
| SQL Injection | Error-based, boolean-blind, time-based, UNION-based, out-of-band SQLi across seven injection points. DBMS fingerprint drives payload selection. | CWE-89 |
| Cross-Site Scripting (XSS) | Reflected, stored, and DOM. SPA-aware via headless browser execution. Auth-context propagation. | CWE-79 |
| JWT and token security | Alg confusion, weak secret recovery, JWKS proprietary-path discovery, form-login JWT auto-discovery, raw claim visibility. | CWE-347, CWE-287 |
| Injection class | 11 detectors in one pass: SSRF, CmdInj, Path Traversal/LFI, SSTI, Open Redirect, XXE, Insecure Deserialization, CRLF, RFI, IDOR, Race Conditions. | CWE-918, CWE-78, CWE-22, CWE-1336, CWE-601, CWE-611, CWE-502, CWE-93, CWE-98, CWE-639, CWE-362 |
| Component detection | Fingerprints frameworks, CMS, and libraries from outside. Enriched with OSV.dev and CISA KEV. EOL heuristic. | CWE-937, CWE-1104, CWE-1395 |
| Sensitive file and path exposure | Path classification with soft-404 calibration (three canary shapes), content-type gating, per-kind positive fingerprints. | CWE-538 |
| Security headers | OWASP secure headers, CSP, HSTS, COOP/COEP, Referrer-Policy. Severity calibrated against the Environment Profile. | CWE-693 |
Authenticated scanning
Authenticated scans share a single form-login session across every analyzer. SQL Injection, XSS, JWT, GraphQL, and the injection-class checks all consume the same authenticated cookies, so a multi-analyzer run looks like one user to the target's anti-brute-force controls.
The AI Form Login Autofill feature detects login selectors automatically
and falls back to a headless browser for SPAs. A five-verdict
compatibility classifier returns one of: compatible, captcha, spa,
multi-step, uncertain. The verdict recommends the right auth mode
(Form Login, Bearer, or Cookie).
Blind-class detection (OAST)
Blind SSRF, blind XXE, blind RFI, blind SSTI, and blind CmdInj are resolved through an out-of-band collaborator WASViking ships and operates itself.
- Per-scan token, single-tenant correlation.
- HTTP and DNS interactions captured.
- Native integration with the injection-class checks.
- No third-party data path. Everything stays in your tenant.
The collaborator URL is https://<tenant-token>.oast.wasviking.com/.
The Out-of-Band Validation page covers this in full, including the portal view where captured interactions are listed.
Environment Profile calibration
The Environment Profile is available to every analyzer on each scan. Six analyzers adapt to it, which means fewer false positives and findings that survive engineering review.
| Coverage | What it adapts |
|---|---|
| SQL Injection | DBMS fingerprint drives payload variant selection. |
| Cross-Site Scripting (XSS) | SPA detection switches to headless browser execution. |
| Injection class | Defenses (WAF, CSP) inform payload class selection. |
| JWT and token security | JWKS placement determines kid-confusion attempts. |
| Sensitive file and path exposure | Server stack drives the positive-fingerprint set. |
| Security headers | Profile drives severity calibration. |
False-positive controls
WASViking ships three mechanisms specifically to suppress noise common in naive scanners:
- Soft-404 calibration with three canary shapes in the sensitive-file and path checks, including a dotfile canary, kills empty-200 catch-all matches.
- Stable finding fingerprint so the same issue is the same row across scans, with audit-tracked status.
- Primary risk category override in the AI layer so the LLM cannot reclassify a finding away from the engine's verdict.
Output
Every external DAST finding carries:
- A stable fingerprint.
- The payload that triggered it.
- The raw HTTP request and response that proves it.
- A canonical CWE mapping.
- A Risk Score 0-100.
- An SLA window.
- A compliance control mapping.
- An AI recommendation, bilingual (EN, PT-BR, ES).
What is not covered here
- Modern API protocols. See the Modern API Security pages (coming soon).
- Internal applications. See the Sentinel agent section (coming soon).
- Software composition. See the Supply Chain pages (coming soon).