OWASP Penetration Testing Kit - DAST (Dynamic Application Security Testing)

Generate report

Scanning

Scan in runtime

Stop runtime scan

Loading

Scan progress:

Rulepack:

Status:

Analysis Explorer

Attacks

0

Findings

0

Critical

0

High

0

Medium

0

Low

0

Info

0

DAST, or Dynamic Application Security Testing, is a security testing method that analyzes a running application by simulating real-world attacks to identify vulnerabilities, much like a penetration tester.

How to scan an application:

Click the "Scan in runtime" button and confirm it's starting
Start browsing the application you are scanning (click links, submit forms, etc.)
Once completed open DAST scanner (R-Attacker) and stop the scan
Check the result

Modules CVE Modules

Module	Number of attacks	Severity

Module	Number of attacks	Severity

Open Settings

Close

PTK Pro

Portal project

Upload

Download

No completed scan available to upload yet. Run or download a scan first.

Domain	Scan ID	Scan date	Download

Are you sure you want to run DAST scan against ?

Load

Reload this tab to enable runtime scans (IAST/SAST). DAST can still run.

Domains to scan (comma separated):

Example:
domain.com, api.domain.com, subdomain.domain.com, www.domain.com
OR
*.domain.com - to scan all subdomains

Scan strategy:

Strategy:

Fast – attack all params in one request, stop after first finding per module/URL
Smart (recommended) – one param per request, stop after first finding per module/param
Comprehensive – one param per request, report all findings

Safety profile:

Safety profile:

Strict - lowest footprint, narrow targeting, safest defaults
Safe (recommended) - balanced coverage and control
Wide - broadest coverage and higher scan pressure

Scan policy:

Scan policy:

Recon (system) - focuses on discovery (URLs, parameters, tech signals, passive checks) with a minimal footprint
Active (system) - runs exploit-style tests and can generate a lot more requests — use it only when you have permission and the target can handle it
PTK Pro policies can appear here when available, offering advanced and customizable scanning options for Pro users.

Auto-discover same-origin links:

Auto-discovery:
PTK can follow links found in visited HTML pages and queue them for DAST. Leave this off to scan only the requests created by your own browsing.

Autodiscovery budget:

Autodiscovery budget:
Controls how many unique same-origin links PTK can add during this scan.

Strict - minimal expansion from the pages you visit
Safe (recommended) - balanced coverage without broad crawling
Wide - allows substantially broader discovery

Attack RPS:

Attack requests per second:
5-10 requests/second is a safe default for most websites, especially for active scanning (SQLi, XSS, etc.).

5 if you want to be extra gentle, minimize detection, or scan “production” apps
10 if you know the site can take some load or it’s a dev/test environment
2-3 for critical production, very slow or fragile sites, or to fly under the radar

Concurrency:

Concurrency:
1-3 is a safe range. Never more than 5, unless you’re doing very short requests and you control the target

1 (sequential) if you want minimal footprint or are scanning “live” apps
2 for reasonable speed without overloading a single tab/session
3-4 for dev/test where performance matters more than stealth

Run CVE attacks:

CVE-specific attacks:
May trigger 5xx errors or crashes on vulnerable endpoints. Only use on systems you own.

Record macro during scan:

Record macro during scan:
Starts the macro recorder on the current tab without reloading it, so the same runtime scan flow is captured as a reusable macro.

Cancel

Run scan

Import/Export

Export

Export

Preparing export...

Or

Import from text

Import from file