Dynamic Reviewer

With Dynamic Reviewer Safe-PenTest module, you can inspect your Web Application, REST API, SOAP Services, App Engines and Micro-Services during running, directly using your Browser, in non-invasive way.

DAST is not dead, legacy DASTs are. Modern DASTs are changing the industry

Swan Beaujard - AppSec Conference

Until a couple of years ago, we’re seeing only open-source PenTest tools that can genuinely mimic how a human tester works, or just fire off scans.

Nowadays, Pentest is something different, due to the intensive AI usage.

Open

by Cybersecurity Exchange

Capabilities such as automation, predictive analysis, and the development of sophisticated attack methods are significantly reshaping the cybersecurity landscape.

Dynamic Reviewer can run in different modes, with or wothout AI usage.

• Discovery/AI reconnaissance without firing exploits (Light mode). It’s built to analyze URLs, JS files, and headers to find patterns that look like trouble, explaining why a specific endpoint looks vulnerable, usually giving you a sample payload to try yourself. Some examples are JWT, React, Angular, Injections, XSS, CSRF, SSRF and Auth bypass weaknesses. This makes it a great choice if you need to scan something close to production without worrying about crashing services or DB. it ignores things like business logic flaws or weird config issues. If the bug isn’t in its specific “hit list,” it’ll ignore it, due is optimized by speed.

• Exploit/AI autonomous exploitation. Testing “vulnerable by design” apps become eye-opening (Standard mode). For example, it didn’t say “this login looks weak”; it bypassed the login, dumped data, hands the screenshots and logs to prove it. It provides: Access Control - IDOR, privilege escalation, auth bypass. Injection Attacks - SQL, NoSQL, LDAP, XPath and command injection. Server-Side - SSRF, XXE, deserialization flaws. Client-Side - XSS, prototype pollution, DOM vulnerabilities. Business Logic - Race conditions, workflow manipulation. Authentication - JWT vulnerabilities, session management. Infrastructure - Misconfigurations, exposed services. The key difference here is evidence. If it says there’s a bug, you can be reasonably certain it’s there.

• AI agent testing. It lets you stitch together LLMs and Dynamic Reviewer native engine with the tools you already use (Nmap, Burp, etc.) to build automated PenTest agents on-the-fly (Deep mode). It comes with built-in tools for deep reconnaissance (automated OSINT and attack surface mapping), exploitation, WAF/WAAS/Gateway proof API attacks and privilege escalation. It stucks mostly to the Red Team side of things for those tasks. Agents are built in a way that could scan an app, analyze the results, and then pivot into exploitation and reporting with a single prompt to get it going. It even gets handling some internal network stuff like “Pass the Hash” attacks.

Open

DAST-Penetration Testing made easy

The following installation options are available:

• Web App. You can install it at your premises, installable in any host OS supporting Docker.

• Team Reviewer Plugin. BlackBox-WhiteBox DAST plugin. Team Reviewer pre-installed on premises is required.

• Cloud App. Similar to a local installed app, it provides various Usage Modes and Connection Modes.

Its special Safe-PenTest feature (AI reconnaissance-Light mode), allows to explore vulnerabilities in your Web Applications, at the same time to keeping them securely. No need of Backups before PenTest, we guarantee our tool will keep your system and database integrity. 

You can import third-party results from Security Scanners, Host Scanners and Proof-of-Exploits tools. Their results will be correlated automatically and a unified Enterprise Report is generated.

Dynamic Reviewer DAST provides a robust and stable framework for Web Application Security Testing, suitable for all Security Analysts, QA and Developers with False Positives and False Negatives support, offering an easy-to-use Web GUI, Advanced Scan and Enterprise Reporting capabilities.

Open

Usage Modes

Dynamic Reviewer Provides two usage modes:

• BlackBox mode. It is placed in the role of the average hacker, with no internal knowledge of the target system. Testers using Dynamic Reviewer are not provided with any architecture diagrams or source code that is not publicly available. Dynamic Reviewer determines the vulnerabilities in a system that are exploitable from outside the network.
  This means that BlackBox penetration testing relies on dynamic analysis of currently running programs and systems within the target network.
  Dynamic Reviewer follows the OWASP Web Security Testing Guide, chapter 4. Web Application Security Testing.

• WhiteBox mode. It performs Authentication before starting the scan. It provides the following Login modes:

  • Form-Based Authentication: traditional login with User and Password as Web form, You can configure more than one user, they will be tested all.

  • Token-Based Authentication: You can modify the request headers for inserting token. Suitable for authenticated WebSockets, JWT and gRPC too.

Scan Types

The Safe-PenTest scan type is named Light. It applies the following default settings:

• Passive scans enabled

• Only non-instrusive Active scans enabled

• Only non-instrusive DOM scans enabled

• Vulnerable Javascript scan

• Only non-instrusive Exploits verified but not aplied

• Target Web site, DB and config will be untouched

Standard scan applies the following default settings:

• Both Active and Passive scans enabled

• Technology discovery will drive the scan

• Scanning deep: up to 3 nested pages. Does not follow the external links

• Timeout per page: 10 minutes

• Total Passive Scan Timeout: 30 minutes

• DOM scan enabled

• Vulnerable Javascript scan

• Exploits tested (some page browsing can generate new/updated records in your DB/config)

Deep scan applies the following

• Both Active and Passive scans enabled

• Technology discovery will drive the scan

• Early warning detection scanners enabled (i.e. newest vulnerabilities discovery)

• Scanning deep: up to 10 nested pages. Does not follow the external links

• Timeout per page: 20 minutes

• Total Passive Scan Timeout: 60 minutes

• DOM + AJAX scan enabled

• Web pages Crawling enabled (generate new/updated records in your DB/config)

• Exploits applied (target Web site will be broken)

Connection Modes

Both on premises and Cloud installations can connect to the target Web Application in different modes:

• Direct. Dynamic Reviewer will reach the target Web Application using a Direct connection to Internet

• Through Proxy. For reaching the target Web Application you need a proxy. You can configure the Proxy URI, Proxy TCP Port, Proxy User and Proxy Password

Open

• SSH Tunnelling. Used for target Website/API available in the internal network only. A temporary SSH key will be automatically generated for the current Scan. The User can download it and execute the commands shown in the screen. It will create a SSH Tunnel to reach the target Website/API Application.

Open

AI-Based

You can enable or disable the AI features. Significant faster than traditional scan. It works differently depending on scan mode (Light, Standard and Deep), as described above.

Web Site or API

You can scan a web site (HTTP, HTTPS, WSS, FTP, etc.) or different kind of API:

• Open API

• SOAP

• GraphQL

Open

Exclusions

You can import an Exclusion List, in plaintext format. It should contain the list of web pages, microservices or REST API you want to exclude from the scan.

Open

This can make the scan time shorter and focus the analysis to specific Web site sections only.

Summary

Once Scan is terminated, you have a list of Findings classified by OWASP:

Open

Findings Details

Open

You can:

• Suppress a Finding Category (example: all Blind SQL Injection issues)

• Suppress one or more Findings inside a Category

• Mark a single Finding or a Findings' group as False Positive or Accepted Risk

• Add Comments to the entire scan, to a Finding Category, to a single Finding, to a False Positive or Accepted Risk

• Modify, Delete, change Severity tag, Merge Findings

• Import Results from third-party tools

• Export Combined Results in PDF, HTML, JSON, CSV, Excel and Word format

• Add Evidences to the Findings

Open

You can drill-down to each Finding Category:

Open

More in Details:

Open

CVSS:

Open

Remediation Hints:

Open

Each Category groups a bunch of vulnerablities found in the virtual Attacks:

We call such Attacks ‘virtual’ because Dynamic Reviewer does not really execute the Attack/Exploit, but simulate it only.

Open

Further, instead of declaring hundreds or even thousands of vulnerabilities you can focus of their categories, for a smarter Vulnerability Management.

SCHEDULING

With new security threats emerging daily, conducting a one-time pentest isn’t sufficient to maintain an effective security posture. Even the common practice of running annual pentests often isn’t adequate for highly regulated industries, high-risk organizations, or rapidly changing infrastructures. A common use case is running scans automatically on a recurring basis, for example once a week or once a month or other recurring frequencies. This enables continuous autonomous pentesting without any user intervention - no need to sign-in to the dashboard to create or launch the scan.

When scanning, you can schedule the scans using Profiles, stored by name:

Open

You can define different Schedule Profiles:

Open

You can schedule scans from Start to End Date/Time.

You can define the Schedule frequency: Daily, Weekly, Twice a month, Monthly, Bimonthly, Quarterly, Twice a year, Yearly.

You can Repeat the scan: Never, Forever or for a N.of Times.

If you wish to be notified once a scan is complete, you need to enable the Notifications to: Product Type Members or Product Members

The notification can include: Notification only, Reports or Notification and Reports.

The notification will follow our standard Notification channels, e-mail and Webhook included.

Once you created a new Schedule Profile, you can load and use it at anytime by referencing its name.

Authorized users only can create and remove a Schedule Profile.

Regulatory and Compliance

Applicable regulatory frameworks may dictate specific requirements for pentesting cadence. For example, some of the most important pentesting standards for compliance include:

• PCI DSS: Pentesting required at least annually and after any major infrastructure updates.

• NIS2: the directive does not explicitly use the word "pentest," it mandates regular, risk-based testing of security measures (Article 21)

• Service Organization Control 2 (SOC 2): Requires general policies for securing systems and data without specifically mandating pentesting, but it is considered a requirement in practice for most organizations. It acts as essential evidence to satisfy Trust Services Criteria (TSC) (specifically Security/CC7.1) for monitoring, risk assessment, and vulnerability management.

• HIPAA: Currently requires protecting data integrity and security and recommends without requiring pentesting, but proposed HIPAA security rule changes may soon mandate biannual vulnerability scanning and annual pentesting.

• National Institute of Standards and Technology (NIST): Requires pentesting for certain systems and recommends structured phases for planning, reconnoitering, conducting, and reporting pentests.

• International Organization for Standardization (ISO) 27001: Requires thorough risk assessments without specifically mandating pentesting for certification, but it is strongly recommended as a best practice to meet requirements for risk management and technical vulnerability assessment. The standard, specifically under Annex A controls like A.8.8 (Management of Technical Vulnerabilities) in the 2022 version, requires organizations to regularly identify, evaluate, and mitigate security weaknesses.

GDPR

Further to above standards, Dynamic Reviewer provides a GDPR feature that scans your pages to see if there are any common issues.

GDPR feautre is automatically applied in case the target Web site is located in Europe.

Here’s what our tool checks:

• If personal data collection forms are safe

• If prior consent is requested for all non-essential cookie types

• If consent is required for personal data

• If personal data isn’t transferred to forbidden countries

• If there are any risks of personal data breaches

Those checks followin the official EU GDPR Checklist.

Continuous pentests

For organizations facing high risk or seeking to optimize their security posture, Continuous pentests using PenTesting as a Service (PTaaS) is emerging as the gold standard. Conventional annual pentests are comprehensive in scope and may take months to schedule. In contrast, continuous pentests focus on specific infrastructure or app targets or specific vulnerabilities, enabling them to be scheduled much more rapidly, even within few hours.

Dynamic Reviewer is a fully-automated example of PTaaS.

ENTERPRISE REPORTING

Dynamic Reviewer provides:

• Detailed Report. A standard DAST automatically-generated technical report in PDF, Word, Excel and HTML formats, listing all detailed information necessary for Indentifying and Remediate the vulnerabilities.

• Cover page. Fully customizable ISO 9001-compliant Cover Pages, can be saved as different Profiles

Open

• Enterprise Report. Fully-customized automatically-generated Executive Summary and Technical reports, starting from a customer-driven Form Template (on which customized tags will be filled), CWE Requirements, Report template, written in the preferred language (Report template in Word format, containg the custom tags). You can also import a plaintext list about which MicroServices/Pages should be included in the custom report.

Open

Security Scanners

Dynamic Reviewer, further its own native engine, is Powered By the following open source tools:

• OWASP ZAP (Proxy)

• CycloneDX (SBOM)

• OWASP Fuzz AI Files

• OWASP FuzzDB Files

• p0f, DataSploit (Fingerprinting)

• pWeb, Enlightn, Magescan, Droopescan, Joomscan, Typo3scan (Wordpress, Laravel, Magento, Drupal, Joomla, TYPO3, and other PHP CMS Discovery)

• wXf, SearchSploit (Ready-to-use Web Exploits)

• DirBuster (SiteMap)

• OSVDB, NVD, GHSA, RUSTSEC, PYUP, ALPINE, Exploit-DB (Vulnerability Databases)

• retireJS (Outdated and vulnerable JavaScript and TypeScript 3rd-party libraries detection)

• 0d1n (Login brute-force)

• John The Ripper (Password recovery and cracking)

• Wfuzz, WebFormFuzzer, SQLInjectionFuzzer, FuzzAPI (Web Application and REST API Fuzzers)

• SQLMap (SQL Injection and DB takeover)

• Selenium (WebDrivers for Crawling)

• Postman (API support)

All vulnerabilities resulting from the above OSS tools, will be collected and correlated and included in the Dynamic Reviewer results.

Further the above listed tools, Dynamic Reviewer provides its own Security Scan Engine.

Each Security Scanner makes different fields available.

It is up to you to purchase and manage the required Security Scanner’s License in case of you are using a Commercial Product.

Our tool imports the results only, without running your Security Scanner.

Our Own Security Scan Engine

Main features:

• Technology Discovery

• Port scanning, Services Discovery (no need of nmap or nessus)

• Audit, Bruteforce, Evasion, grep ancd Mangle modes

• Cookie-jar/cookie-string support.

• Custom header support.

• SSL support with fine-grained options.

• User Agent spoofing.

• HTTP/2 support.

• Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.

• Proxy authentication.

• Site authentication (SSL-based, form-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos and others).

• Automatic log-out detection and re-login during the scan (when the initial login was performed via theautologin,login_scriptorproxyplugins).

• Custom 404 page detection.

• UI abstraction:

  • Command-line Interface.

  • Web User Interface.

• Pause/resume functionality.

• Hibernation support -- Suspend to and restore from disk.

• High performance asynchronous HTTP requests.

  • With adjustable concurrency.

  • With the ability to auto-detect server health and adjust its concurrency automatically.

• Support for custom default input values, using pairs of patterns (to be matched against input names) and values to be used to fill in matching inputs.

Discovery Mode

Through Passive Fingerprinting it provides discovery of: Host OS, Web Application Server (WAF), Web Server, Application Server, DB type, CMS, Directory bruteforce, DNS WildCard, domain_dot, .NET Errors, Favicon identification, Backdoors, Captchas, DVCS, GIt/Svn files, Fingerprint BING, Fingerprint Google, Fingerprint PKS, Fingerprint WAF, GHDB, Google Spider, Halberd, HMAP, HTTPS over HTTP, Import Results, Oracle discovery, Phish Tank, phpeggs, phpinfo, pykto, RIA Enumerator, robots.txt reader, Server Header, Server Status, Shared Hosting, SiteMap Reader, Splash, spiderMan, URL Fuzzer, urllist.txt Reader, userDir, webDiff, webSpider, wordNet, Wordpress Fingerprint, Laravel Vulnerabilities, WDSL Finder, XSSedDotCom, Yahoo Site Explorer, zone_h.

Audit mode

Audit of LDAP, Blind SQL Injection. Buffer Overflow, webDAV, eval, file Upload, format String vulnerability, legacy FrontPage web apps, Global Redirect, HTA Access Methods, Local File Include, mx Injection, OS Command Injection, Phishing attack vector, preg_replace, re-DoS, Remote File Include, Respnse Splitting, SQL Injection, Server-Side Injection, Weak SSL Certificate, Unsecure Connection, Xpath Injection, XSRF, Cross-Site Scripting (XSS), XST.

Bruteforce Mode

Usage of Bruteforce for: Basic Authentication and Web Form Authentication.

Evasion Mode

Seeking for: backSpace Between Dots, full Width Encode, modsecurity, reversed Slashes, rndCase, rndHexEncode, rndParam, rndPath, sel Reference, shift out-shift in Between Dots.

Grep Mode

Find: Ajax, blank Body, Code Disclosure, Collect Cookies, Credit Cards, Directory Indexing, DOM XSS, .NET Event Validation, Error 500, Error Pages, Feeds, File Upload, Comments, Form Autocomplete, e-mails. Hashes, HTTP Auth detect, HTTP in Body, language, Meta Tags, motw, Objects, Oracle, Password Profiling, Path Disclosure, Private IPs, SSN, Strage HTTP Code, Strange Headers, Strange Reason, SVN Users, User-defined Regex, WDSL Grepper.

Mangle Mode

Usage of Stream Editor (sed) for pattern matching: Privilege Escalation, Exploiting sudo/administrator rights, DirtyPipe (CVE 2022-0847), Windows Privilege Escalation: PrintNightmare.

Client-Side scanning

Dynamic Reviewer includes an integrated, real browser environment in order to provide sufficient coverage to modern web applications which make use of technologies such as HTML5, JavaScript, DOM manipulation, AJAX, etc.

In essence, this turns Dynamic Reviewer into a DOM and JavaScript debugger, allowing it to monitor DOM events and JavaScript data and execution flows. As a result, not only can the system trigger and identify DOM-based issues, but it will accompany them with a great deal of information regarding the state of the page at the time.

Relevant information include:

• Page DOM, as HTML code.

  • With a list of DOM transitions required to restore the state of the page to the one at the time it was logged.

• Original DOM (i.e. prior to the action that caused the page to be logged), as HTML code.

  • With a list of DOM transitions.

• Data-flow sinks -- Each sink is a JS method which received a tainted argument.

  • Parent object of the method (ex.:DOMWindow).

  • Method signature (ex.:decodeURIComponent()).

  • Arguments list.

    • With the identified taint located recursively in the included objects.

  • Method source code.

  • JS stacktrace.

• Execution flow sinks -- Each sink is a successfully executed JS payload, as injected by the security checks.

  • Includes a JS stacktrace.

• JavaScript stack-traces include:

  • Method names.

  • Method locations.

  • Method source codes.

  • Argument lists.

• Compatible with ES5 and ES6

• Integrated with Wapplyzer

• A bunch of frameworks are supported, like React, Angular, Ionic, Vue, Cordova/Phonegap and Node.js

Open

In essence, you have access to roughly the same information that your favorite debugger (for example, FireBug) would provide, as if you had set a breakpoint to take place at the right time for identifying an issue.

DOM Security Issues

The list of DOM Security Issues found by Dynamic Reviewer are: