Scan Your API for Vulnerabilities (DAST)

Dynamic Application Security Testing (DAST) assesses the security of an application while it is running by scanning for vulnerabilities, weaknesses and potential security risks. Jit uses OWASP Zed Attack Proxy (ZAP) for DAST. ZAP simulates real-world attack scenarios on APIs and web applications and generates a comprehensive view of an application's security posture:

  • APIs, detects an extensive list of weaknesses, misconfigurations, and security vulnerabilities to ensure your APIs are secure before, during, and after production.
  • Web applications, detects security vulnerabilities like SQL injection, cross-site scripting, clickjacking or path traversal that may not be visible in the source code.

While scanning ZAP uses active and passive rules:

  • Active rules, identify potential vulnerabilities by using known attacks against selected targets in web applications.
  • Passive rules, scan all HTTP request and response messages sent to the API or web application being tested. Passive scans do not make any changes to messages.

For more information about scans and their rules see ZAP Rules for Detecting Vulnerabilities.

About Jit scanning for vulnerabilities using ZAP

  • Scans can be set to run daily and also when a deployment event is detected in your GitHub account.
  • Scanning can be authenticated using a choice of authentication methods, or can be without authentication for black box testing. Jit recommends using authentication which is more sensitive and provides deeper insight.

🔒

Whitelisting Jit DAST scanners

To perform API scans, Zap requires access to your APIs. If your APIs are secured with a whitelist, please ensure the following IP addresses are included:

  • 3.220.250.224/32
  • 52.45.232.22/32

Adding these IP addresses to your whitelist will enable Zap to conduct its scans without interruption.