Skip to main content

About the DAST Essentials scanners

DAST Essentials can perform scans in two variants:

Quick scan

Runs only non-invasive tests for "live" production versions of your code. By default, it uses a single-page crawler, which is optimized for web applications written in languages such as Angular and React, Vue, or Jquery. For applications with multiple pages, such as those written in PHP or JSP, you can change to a multi-page scanner on the Configure target page.

Full scan

Runs all DAST Essentials scanners. Only recommended for test or developer systems, as security scanners can decrease performance or impact live data for productive systems. Several factors can increase the scan time, such as the scanners you run, network performance, the number of web pages or API endpoints, the amount of content on each page, and the target configuration. These scans can impact the performance of your live web application or API. To ensure that these resources run optimally, consider running a full scan in a staged environment.

You can change the selected scanners on the Configure target page. If the URL is protected by HTTP basic authentication using a .htaccess file, on the Configure target page, you must add your username and password to the System Authentication section on the Authentication tab.



  • Server Version Fingerprinting
  • Web Application Version Fingerprinting
  • CVE Comparison of found issues

Transport Layer Security (TLS/SSL)

Security Headers

Content-Security-Policy headers

Port Scan

Injection Attacks

  • Boolean-based blind SQL Injection
  • Time-based blind SQL Injection
  • Error-based SQL Injection
  • UNION query-based SQL Injection
  • Stacked queries SQL Injection
  • Out-of-band SQL Injection
  • Command Injection
  • File Inclusion

XML External Entity (XXE) Processing

Cross-site Scripting (XSS)

Cross-Site Request Forgery (CSRF) Deserialization


  • Directory Fuzzer
  • File Fuzzer