Dastardly
Last updated
Last updated
https://portswigger.net/burp/documentation/dastardly
DASTARDLY
Dastardly is a free, lightweight web application security scanner that uses Docker to run in your CI/CD pipeline. It is designed specifically for web developers, and checks your application for seven security issues that are likely to interest you during software development. Dastardly is based on the same scanner as Burp Suite (Burp Scanner).
Dastardly uses a Dynamic Application Security Testing (DAST) methodology to scan your target web application. This means that it scans your target application in a deployed state. This is unlike Static application security testing (SAST) scanning, which looks at application code before it is deployed.
When running a Dastardly scan, provide the seed URL you wish to scan. The seed URL is the point from which Dastardly scans your target web application. From here, Dastardly scans any URLs it finds below the seed URL in the hierarchy.
Dastardly scans are capped at a maximum run time of ten minutes. This may not be enough time to scan larger or more complex web applications.
If your application is too large or complex for Dastardly to scan, you might want to try scanning with Burp Suite Enterprise Edition instead.
When your scan has finished, Dastardly outputs a report of its findings in JUnit XML format. This lists all vulnerabilities found during the scan. To help you pinpoint these issues, it also lists the requests Dastardly sent with the corresponding responses from your application.
Once you have identified and resolved any vulnerabilities, you can redeploy your build to perform another scan.
To help keep your application secure, Dastardly fails your build if it detects any vulnerabilities with a severity level of LOW, MEDIUM, or HIGH.
Vulnerabilities with a severity level of INFO don't trigger a build failure.
We've provided instructions for integrating Dastardly with key CI/CD platforms, as well as a generic docker run
command that enables you to integrate Dastardly with any other CI/CD platform:
To run Dastardly, you need:
A machine with a minimum of 4 CPU cores and 4 GB of RAM. (Larger or more complex target applications may require more resources.)
A CI/CD build agent or node configured to:
Run Docker containers.
Access your target application.
Access your target URL.
Access PortSwigger's public image repository (public.ecr.aws/portswigger/
).
If you're running Dastardly locally, or within a container, please make sure your network settings are configured correctly. Dastardly does not support any additional environment variables, such as proxies.
PortSwigger provides support for any problems you may encounter when scanning applications using Dastardly. We do not provide support for problems involving your CI/CD platform, or integrating Dastardly with that platform.
If you have a problem with a Dastardly scan, please check our user forum, or the Dastardly FAQs.