With Dynamic Reviewer Safe-PenTest module, you can inspect your Web Application, REST API, SOAP Services, App Engines and Micro-Services during running, directly using your Browser, in non-invasive way.
...
You can import third-party results from Security Scanners, Host Scanners and Proof-of-Exploits tools. Their results will be correlated automatically and a unified Enterprise Report is generated.
Dynamic Reviewer DAST provides a robust and stable framework for Web Application Security Testing, suitable for all Security Analysts, QA and Developers with False Positives and False Negatives support, offering an easy-to-use Web GUI, Advanced Scan and Enterprise Reporting capabilities.
...
Black Box mode. It is placed in the role of the average hacker, with no internal knowledge of the target system. Testers using Dynamic Reviewer are not provided with any architecture diagrams or source code that is not publicly available. Dynamic Reviewer determines the vulnerabilities in a system that are exploitable from outside the network.
This means that Black-Box penetration testing relies on dynamic analysis of currently running programs and systems within the target network.
Dynamic Reviewer follows the OWASP Web Security Testing Guide, chapter 4. Web Application Security Testing.
Further, Dynamic Reviewer analyzes in deep the client-side code (Ajax, DOM, JavaScript, TypeScript, etc.) discovering the largest number of client-side vulnerabilities in the market.White Box mode. [Cloud only] It performs Authentication before starting the scan. It provides the following Login modes:
Form-Based Authentication: login with User and Password as Web form, You can configure more than one user, they will be tested all.
JSON-Based Authentication: submit a JSON object with credentials
Tokern-Based Authentication: You can modify the request headers for inserting tokens
Script-Based Authentication: upload and execute a custom script used to login. This method is useful for websites / webapps where the authentication is a more complex one and some custom scripts that handle the authentication process are beneficial.
...
Connection Modes
Both on premises and Cloud installations can connect to the target Web Application in different modes:
...
Suppress a Finding Category (example: all Blind SQL Injection issues)
Suppress one or more Findings inside a Category
Add Comments to the entire scan, to a Finding Category, to a single Finding
Modify, Delete, change Severity tag, Merge Findings
Import Results from third-party tools
Export Combined Results in PDF, HTML, JSON, CSV, Excel and Word format
Add Evidences to the Findings
...
You can drill-down to every Threats' each Finding category:
...
Each Category groups more a bunch of vulnerablities found in the virtual Attacks:
...
We call such Attack Attacks ‘virtual’ because Dynamic Reviewer does not really execute the attackAttack/exploitExploit, but simulate it only.
Further, instead of declaring hundreds or even thousands of vulnerabilities you can focus of their categories, for a smarter Vulnerability Management.
Powered By
Dynamic Reviewer is Powered By the following open source tools:
OWASP ZAP (Proxy)
CycloneDX (SBOM)
p0f, DataSploit (Fingerprinting)
pWeb, Enlightn, Magescan, Droopescan, Joomscan, Typo3scan(Wordpress, Laravel, Magento, Drupal, Joomla, TYPO3, and other PHP CMS Discovery)
wXf, SearchSploit (Ready-to-use Web Exploits)
OSVDB, NVD, GHSA, RUSTSEC, PYUP, ALPINE, Exploit-DB (Vulnerability Databases)
retireJS (Outdated and vulnerable JavaScript and TypeScript 3rd-party libraries detection)
0d1n (Login brute-force)
John The Ripper (Password recovery and cracking)
Wfuzz, WebFormFuzzer, SQLInjectionFuzzer, FuzzAPI (Web Application and REST API Fuzzers)
SQLMap (SQL Injection and DB takeover)
Selenium (WebDrivers for Crawling)
Postman (API support)
All vulnerabilities resulting from the above OSS tools, will be collected and correlated and included in the Dynamic Reviewer results.
...