common-dast-tooling
$
npx mdskill add HoangNguyen0403/agent-skills-standard/common-dast-tooling- **No Scanning Production**: Never run DAST tools against live production environments. Use local or staging replicas only. - **No Uncapped Scans**: Always set `max-depth` or `max-duration` to avoid infinite loops on dynamic routes. - **No Anonymous Probing**: Use authenticated headers (`Authorization`) to test protected surfaces, not public ones. - **No Mobile on Real Devices in Prod**: Use emulators/simulators for mobile interception testing.
SKILL.md
.github/skills/common-dast-toolingView on GitHub ↗
---
name: common-dast-tooling
description: Standardize dynamic application security testing for backend APIs, frontend web apps, and mobile clients. Covers ZAP, Nuclei, Nikto, sqlmap, ffuf, browser automation, mobile proxy interception, and AI-driven curl probes. Use when advising on or running dynamic security scans on local/staging environments.
metadata:
triggers:
keywords:
- DAST
- dynamic scan
- zap
- nuclei
- nikto
- curl probe
- pentest
- dynamic analysis
- sqlmap
- ffuf
- mobile proxy
---
# DAST Tooling Standard
## **Priority: P1 (OPERATIONAL)**
## Always-Apply Rules
- **No Scanning Production**: Never run DAST tools against live production environments. Use local or staging replicas only.
- **No Uncapped Scans**: Always set `max-depth` or `max-duration` to avoid infinite loops on dynamic routes.
- **No Anonymous Probing**: Use authenticated headers (`Authorization`) to test protected surfaces, not public ones.
- **No Mobile on Real Devices in Prod**: Use emulators/simulators for mobile interception testing.
## 1. Backend / API Tools
### Scanner Tools
See [implementation guide](references/implementation.md) for setup commands.
- **Nuclei**: Fast, template-based CVE/misconfiguration scanning.
- **ZAP-CLI**: Deep spidering for SQLi, XSS, CSRF, session issues.
- **Nikto**: Server configuration audit (version disclosure, headers).
- **sqlmap**: Automated SQL injection detection and exploitation (suggest only — human confirms).
- **ffuf / feroxbuster**: Content discovery and endpoint fuzzing.
### API-Specific Probing
- **GraphQL**: Introspection query, nested query depth attack, field suggestion enumeration.
- **gRPC**: `grpcurl` for service enumeration and method probing.
- **WebSocket**: Connection hijacking, message injection testing.
## 2. Frontend / Web Tools
- **Browser DevTools**: Network tab for auth token leakage, console for client-side errors.
- **Playwright/Puppeteer** (suggested): Automated DOM XSS detection, form submission, CSRF testing.
- **Lighthouse**: Security/performance audit (CSP, HTTPS, mixed content).
- **CSP Evaluator**: Validate Content-Security-Policy headers.
## 3. Mobile Interception Tools
- **mitmproxy / Burp Suite**: Proxy mobile traffic for API inspection.
- **Frida**: Runtime instrumentation for cert pin bypass, biometric bypass, jailbreak detection bypass.
- **adb / xcrun simctl**: Device-level inspection, deep link testing, storage extraction.
- **Objection**: Mobile runtime exploration (iOS/Android).
## 4. AI-Driven `curl` Probing (Manual Fallback)
When automated tools unavailable, generate targeted `curl` probes:
- **Bypassing Guards**: Probe with manipulated headers (`X-Forwarded-For`, `X-Custom-Auth`).
- **Data Leakage**: Request `/metrics`, `/health`, `.git`, `/.env`, `/api-docs`.
- **Parameter Tampering**: Modify payload types (String→Object), inject large payloads.
- **JWT Manipulation**: Test with expired token, no token, modified claims.
See [implementation guide](references/implementation.md) for all commands.
## Scoring Impact
| Finding | Severity | Deduction |
|---|---|---|
| Unauthenticated access to private data | P0 | -25 |
| Successful SQLi/RCE via probe | P0 | -20 |
| Mobile API interception (no cert pin) | P1 | -15 |
| DOM XSS confirmed via browser | P1 | -10 |
| Info Leakage (Server versions/Env vars) | P1 | -10 |
| Missing security headers (CSP/HSTS) | P2 | -5 |
## Anti-Patterns
- **No relying solely on static analysis**: Pentesting MUST include dynamic execution feedback.
- **No ignoring non-web protocols**: Check Docker ports, SSH banners, gRPC/RMQ listeners.
- **No skipping mobile**: If mobile app exists, proxy its traffic and inspect API calls.
## References
- [DAST Tooling Implementation](references/implementation.md)
- [OWASP Dynamic Scanning Guide](https://owasp.org/www-community/Vulnerability_Scanning)More from HoangNguyen0403/agent-skills-standard
- android-agp-upgradeUpgrade an Android project to Android Gradle Plugin (AGP) 9. Use when migrating to AGP 9, updating Gradle build files, migrating to built-in Kotlin, or adopting the new AGP DSL.
- android-architectureApply Clean Architecture layering, modularization, and Unidirectional Data Flow in Android projects. Use when setting up project structure, placing code in layers, configuring feature/core modules, or implementing UDF patterns.
- android-background-workImplement WorkManager and background processing correctly on Android. Use when creating Worker classes, scheduling tasks, choosing between WorkManager and Foreground Services, or setting up Hilt in workers.
- android-composeBuild high-performance declarative UI with Jetpack Compose. Use when writing Composable functions, optimizing recomposition, hoisting state, or working with LazyColumn and side effects.
- android-compose-migrationMigrate an Android XML View to Jetpack Compose following a structured 10-step workflow. Use when converting XML layouts to Compose, setting up Compose in an existing View-based project, or incrementally adopting Compose.
- android-concurrencyWrite correct coroutine scopes, Flow collection, and dispatcher injection in Android. Use when writing suspend functions, choosing between StateFlow and SharedFlow, or injecting Dispatchers for testability.
- android-deploymentConfigure release signing, R8 obfuscation, and App Bundle publishing for Android. Use when setting up signing configs, enabling minification, adding ProGuard keep rules, or preparing for Play Store submission.
- android-design-systemEnforce Material Design 3 theming and design token usage in Jetpack Compose. Use when implementing M3 components, color schemes, typography, or design tokens.
- android-diConfigure Hilt dependency injection with proper scoping, modules, and constructor injection in Android. Use when setting up Hilt DI, defining modules, or configuring component scoping.
- android-edge-to-edgeMigrate a Jetpack Compose app to edge-to-edge display and fix system bar inset issues. Use when UI components are obscured by navigation/status bars, fixing IME insets, or enabling edge-to-edge for SDK 35+.