How to setup a DAST scan

Background

Strobes come with built-in open-source and commercial scan connectors with which you run different types of SAST, DAST, Network, and Cloud scans. In this article, we are gonna look at how we can set up a DAST scan using OWASP ZAP.

ZAP REST API Scanner is a DAST tool to evaluate the security of your REST API using the postman collection.

Usage Flow Instructions

• Login into Strobes
• Visit your organization
• Go to Connectors
• Click on File Manager
• Enter a configuration name and click Next
• Export your Postman collection file(.json) of V2.1 and upload it using the File Manager connector.
• Close file manager window
• Click on ZAP Rest API Scanner
• Enter configuration name, select baseline, and click on next
• Select file manager config with Postman collection, select asset and agents also you can add your postman collection’s environmental variables in placeholders in key-value pair format.
• Select schedule scan and click on next
• Click on submit
• Click on New Scan to initiate the scan.
• You can find remote scan details in the settings tab of this configuration.

Note: ZAP Web Application scanner Configuration creation flow is also the same. The only difference is this scanner takes Asset URL as a target for scanning instead of API collection.