Dastardly

https://portswigger.net/burp/documentation/dastardly

DASTARDLY

Dastardly is a free, lightweight web application security scanner that uses Docker to run in your CI/CD pipeline. It is designed specifically for web developers, and checks your application for seven security issues that are likely to interest you during software development. Dastardly is based on the same scanner as Burp Suite (Burp Scanner).

Read more

• Dastardly overview.

• The Burp Suite product family.

• Burp Scanner.

Scanning

Dastardly uses a Dynamic Application Security Testing (DAST) methodology to scan your target web application. This means that it scans your target application in a deployed state. This is unlike Static application security testing (SAST) scanning, which looks at application code before it is deployed.

When running a Dastardly scan, provide the seed URL you wish to scan. The seed URL is the point from which Dastardly scans your target web application. From here, Dastardly scans any URLs it finds below the seed URL in the hierarchy.

Read more

• Dynamic application security testing (DAST).

• Scan checks performed by Dastardly.

Scan length limit

Dastardly scans are capped at a maximum run time of ten minutes. This may not be enough time to scan larger or more complex web applications.

If your application is too large or complex for Dastardly to scan, you might want to try scanning with Burp Suite Enterprise Edition instead.

Results

When your scan has finished, Dastardly outputs a report of its findings in JUnit XML format. This lists all vulnerabilities found during the scan. To help you pinpoint these issues, it also lists the requests Dastardly sent with the corresponding responses from your application.

Once you have identified and resolved any vulnerabilities, you can redeploy your build to perform another scan.

Build failures

To help keep your application secure, Dastardly fails your build if it detects any vulnerabilities with a severity level of LOW, MEDIUM, or HIGH.

Vulnerabilities with a severity level of INFO don't trigger a build failure.

Integrating Dastardly with your existing CI/CD platform

We've provided instructions for integrating Dastardly with key CI/CD platforms, as well as a generic docker run command that enables you to integrate Dastardly with any other CI/CD platform:

• Integrating with Jenkins

• Integrating with GitHub Actions

• Integrating with TeamCity

• Integrating with other CI/CD platforms

Dastardly system and network requirements

To run Dastardly, you need:

• A machine with a minimum of 4 CPU cores and 4 GB of RAM. (Larger or more complex target applications may require more resources.)

• A CI/CD build agent or node configured to:

  • Run Docker containers.

  • Access your target application.

  • Access your target URL.

  • Access PortSwigger's public image repository (public.ecr.aws/portswigger/).

If you're running Dastardly locally, or within a container, please make sure your network settings are configured correctly. Dastardly does not support any additional environment variables, such as proxies.

Troubleshooting Dastardly

PortSwigger provides support for any problems you may encounter when scanning applications using Dastardly. We do not provide support for problems involving your CI/CD platform, or integrating Dastardly with that platform.

If you have a problem with a Dastardly scan, please check our user forum, or the Dastardly FAQs.