Create and test DAST projects for web applications and APIs

To run dynamic tests on a web application or API, you first need to create a DAST project in Polaris. Configure some basic settings—including the entry-point URL, target type, and authentication method—and then create the DAST project and associated profile.

Prerequisites

Before you begin, make sure that:

  • Your organization has a subscription with a DAST entitlement.
  • You have permissions to create and manage projects.
    Note: See Roles and permissions for more information.
  • Your subscription has at least one available DAST project.
  • An Organization Admin or Organization Application Manager has either:
  • Polaris has network access to the web application or API you want to scan (only required for external targets). To run DAST tests on external targets, Polaris communicates with your Internet-accessible applications or APIs using IPs that vary between Polaris instances.
    Table 1. fAST Dynamic (DAST) IPs
    Polaris instance IPs (outbound)
    America, production
    • 192.231.134.0/24
    America, POC
    European Union, production
    • 162.244.5.0/24
    Kingdom of Saudi Arabia, production
  • If you want to start DAST tests directly from Black Duck Bridge or a CI/CD pipeline, Bridge CLI version 3.7.0 or later is required.

Additional prerequisites for scanning internal targets

Running DAST tests on internal web applications and APIs (inside private networks) is supported through the Secure Tunnel feature of the Black Duck Bridge. To use this functionality, you must install the Bridge CLI version 3.1.0 or later. For more details, see Test internal DAST projects with Polaris Secure Tunnel and Connect to an internal DAST target from the Bridge CLI in the Bridge CLI documentation.

Create a DAST project

You can create DAST projects for two types of targets:
  • Web applications
  • APIs

A target is identified by its Entry Point URL and can be Internet-accessible or internal (inside a private network). A separate DAST profile is needed for each target you want to scan using fAST Dynamic. A single DAST project can be used for testing a web application or an API target, but not both.

Create a DAST project for a web application target

To create a DAST project for a web application target, follow these steps:
  1. Select Portfolio on the left sidebar.
  2. Select an application with a DAST subscription.
  3. On the Projects tab, select + Create > New Project(s).
  4. Under Project Type, select DAST.
  5. Enter a project name (maximum length: 255 characters).
    Each project name must be unique within the organization.
  6. Enter the Entry Point URL of the web application you want to test dynamically (maximum length: 255 characters).
    When you run a DAST test on this project, fAST Dynamic will begin scanning from the URL you specify. You must have explicit permission to test the specified web application. The Entry Point URL must be:
    • The address of an Internet-accessible, pre-production web application that you have explicit permission to test. If the web application is internal, see step 7.
    • A fully-qualified domain name (FQDN), such as https://example.com/.
  7. If the web application target is internal, select the Entry Point URL is in a private network checkbox.


    For more information, see Test internal DAST projects with Polaris Secure Tunnel.
  8. Under Target Type, select Web Application.
  9. Enter a Profile Name for the DAST profile that will be created for this project. This must be unique within the organization.
  10. Unless you want to define advanced scan settings, leave Manually set up profile selected to use the default scan settings.
    Tip: The default DAST profile options are suitable for most use cases. If necessary, you can fine-tune your profile's settings later on. See Fine-tune a DAST profile for more information.
  11. (Optional) In the Allowed Hosts field, enter a comma-separated list of hosts—sub-domains of the Entry Point URL—to include in DAST scans. For example: 
    https://app.example.com,https://auth.example.com
  12. Select a site authentication method from the Authentication dropdown. If the web application does not require authentication, or you only want fAST Dynamic to scan non-authenticated content, leave this option as None.
    Authentication Description
    Forms Forms authentication.

    Login URL (required): The URL of the web application's login page, e.g., https://example.com/sign-in

    Form Values (optional): Provide a set of site credentials using the Field Name and Value rows; for example, a username and password.
    SAML Single Sign-On (SSO) authentication through a SAML Identity Provider (IdP).

    SSO Login URL (required): The URL of your organization's SSO login page.

    Form Values (optional): Username and password to authenticate to your IdP.

    HTTP Header Values (optional): HTTP request headers as required by your SAML IDP. Enter one or more headers as name/value pairs using the Header Name and Value fields.
    Selenium Authenticate using a Selenium script (.side file), generated by using the Selenium IDE Chrome plug-in.

    Upload .side file (required): Drag and drop a .side file to the file upload box, or browse for it on your computer.
  13. (Optional) Select Perform Active Attacks to enable more intrusive testing of the target.
    Warning: If Perform Active Attacks is selected, fAST Dynamic will simulate real-world attacks by sending various inputs and then observing the application's behavior. These attacks can degrade the application, and expose sensitive data. Remember that fAST Dynamic is not designed or intended for scanning public (production) APIs, applications, and websites.
  14. (Optional) For Internet-accessible web applications only, select Test Connection to run a pre-flight connection test. You can also do this from the Tests page after creating the project and profile. This test can take a few minutes to complete and ensures that:
    • The Entry Point URL is valid.
    • Polaris can connect to the web application and authenticate, if applicable.
  15. Click Save.
Polaris creates a DAST profile to use with this project and web application target. Now, you can run a DAST test against the project from the Polaris UI, or the Bridge CLI (available in Bridge CLI version 3.7.0 or later).

Before you can test internal targets from the Polaris UI, you need to establish a secure tunnel between Polaris and your private network using the Secure Tunnel feature of the Bridge. For more information, see Test internal DAST projects with Polaris Secure Tunnel.
Note: When you test internal targets using the Bridge CLI, Bridge establishes a secure tunnel automatically. See DAST configuration requirements for more information.

Create a DAST project for an API target

To create a DAST project for an API target, follow these steps:
  1. Select Portfolio on the left sidebar.
  2. Select an application with a DAST subscription.
  3. On the Projects tab, select + Create > New Project(s).
  4. Under Project Type, select DAST.
  5. Enter a project name (maximum length: 255 characters).
    Each project name must be unique within the organization.
  6. In the Entry Point URL field, enter the address of the API you want to test dynamically (maximum length: 255 characters). This must be the base URL of a pre-production API that you have explicit permission to test; for example: https://api.altoroj.tinfoilsecurity.com/v2.
    Tip: The DAST scanner can only reach endpoints that are accessible from the Entry Point URL. If the API is versioned, remember to specify the version number in the URL.
  7. If the API is internal, select the Entry Point URL is in a private network checkbox.


    For more information, see Test internal DAST projects with Polaris Secure Tunnel.

  8. Under Target Type, select API.
  9. Enter a Profile Name for the DAST profile that will be created for this project. This must be unique within the organization.
  10. Unless you want to define advanced scan settings, leave Manually set up profile selected to use the default scan settings.
    Tip: The default DAST profile options are suitable for most use cases. If necessary, you can fine-tune your profile's settings later on. See Fine-tune a DAST profile for more information.
  11. (Optional) In the Allowed Hosts box, enter a comma-separated list of hosts—sub-domains of the Entry Point URL—to include in DAST scans. For example: 
    https://api.altoroj.tinfoilsecurity.com/v2/auth
  12. Select the format of your API specification file from the API Specification Type dropdown. The supported file formats are as follows:
    • OpenAPI / Swagger Specification (.yml, . yaml, .json) (default)
    • Postman Collection (.json)
    • HTTP Archive file (.har)
    • GraphQL SDL (.sdl)
  13. Provide a supported API specification file for the API you specified in step 6.
    Method Steps
    Upload an API specification file manually
    1. Select Upload API Specification File.
    2. Drag and drop a file of the chosen type to the Upload API Spec box. You can also upload a local file.
    Link to an API specification file hosted on the Internet
    Note: This option is supported for OpenAPI / Swagger Specification files only.
    1. Select API Specification File URL.
    2. Enter the URL where the API specification file is hosted, for example: https://api.altoroj.tinfoilsecurity.com/v2/swagger.json
  14. (Optional) Select Perform Active Attacks to enable more intrusive testing of the API.
    Warning: If Perform Active Attacks is selected, fAST Dynamic will simulate real-world attacks by sending various inputs and then observing the API's behavior. These attacks can degrade the application, and expose sensitive data. Remember that fAST Dynamic is not designed or intended for scanning public (production) APIs, applications, and websites.
  15. Select the Authentication method for the API. The following are the authentication methods Polaris supports:
    Authentication Description
    None (default) No authentication. Clients can query the API without providing credentials or an API key.
    Headers Authorization headers. To query the API, clients must provide credentials or an API key stored in one or more HTTP authorization headers.
  16. If you selected Headers, the Header Values table is displayed. Provide the required headers as key-value pairs in the Header Name and Value columns. You can provide any type of header, though these options are intended for authorization headers. For example:

    An example authorization header in the Header Values table.
  17. (Optional) For Internet-accessible APIs only, select Test Connection to run a pre-flight connection test. You can also do this from the Tests page after creating the project and profile. This test can take a few minutes to complete and ensures that:
    • The Entry Point URL is valid.
    • Polaris can connect to the API and authenticate, if applicable.
  18. Click Save.
Polaris creates a DAST profile to use with this project and API target. Now, you can run a DAST test against the project from the Polaris UI, or the Bridge CLI (available in Bridge CLI version 3.7.0 or later).

Before you can test internal targets from the Polaris UI, you need to establish a secure tunnel between Polaris and your private network using the Secure Tunnel feature of the Bridge. For more information, see Test internal DAST projects with Polaris Secure Tunnel.
Note: When you test internal targets using the Bridge CLI, Bridge establishes a secure tunnel automatically. See DAST configuration requirements for more information.

Test a DAST project

Follow these steps to run a DAST test from the Polaris user interface:

  1. There's more than one way to start this procedure:
    • Go to Portfolio, select an application, click the three-dot icon at the end of the project's row, and select New Test.
    • Go to Tests and select New Test.
  2. Select the DAST profile to scan with the Application and Project dropdown menus.


    Note: Depending on how you start a test, the Application, Project, and Profile values may already be filled in.
  3. (Optional) Select Test Connection.
    This test can take a few minutes to complete and ensures:
    • The Entry Point URL is valid.
    • Polaris can connect to the web application.
    • Polaris can authenticate with the web application.
  4. Select Begin Test.
Monitor test progress on the Tests page (accessible from the left-hand navbar). Newer tests appear near the top of the page. Filter tests by date, type, mode, status, and the application, project, or branch/profile tested.