IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Glossary
  3. DAST

Testing methods

DAST

Dynamic Application Security Testing

Dynamic Application Security Testing (DAST) evaluates an application in its running state by sending requests and analyzing responses, without access to source code. Because it exercises the deployed system, DAST finds issues that only appear at runtime - authentication flaws, injection, misconfiguration - but traditional DAST relies on signatures and struggles with business logic and multi-step attack chains.

Key points

  • Black-box: no source code required; tests the deployed app over HTTP.
  • Finds runtime issues but classic DAST pattern-matches rather than reasons.
  • Complementary to SAST, which analyzes code statically.
  • AI-driven testing extends DAST by investigating and chaining findings.

FAQ

What is the difference between DAST and SAST?

DAST tests a running application from the outside with no source code, finding runtime and configuration issues. SAST analyzes source code or bytecode statically, before the app runs. They find different classes of issues and are commonly used together.

Related

SASTIASTPenetration TestingAutonomous Penetration TestingSQL Injection (SQLi)Cross-Site Scripting (XSS)Server-Side Request Forgery (SSRF)

References

  • OWASP: DAST

Impactr is an autonomous AI penetration testing platform - it investigates, chains, and proves web and API vulnerabilities with reproducible evidence.

Join the waitlist
← All terms
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub