dast-runtime

DAST Runtime

Purpose

Dynamic, runtime security testing — the axis SonarQube structurally cannot reach, because it never executes the application. This skill attacks a running app and confirms what is actually exploitable:

• OWASP ZAP — spiders and attacks the live app: injection (SQLi/XSS), broken auth/session, missing security headers (CSP/HSTS), CORS misconfig, SSRF reachable through the deployment.
• Nuclei — fast template-based detection of known CVEs and misconfigurations at the deployment (vulnerable framework/proxy versions, exposed admin panels, leaked .env, default credentials). New templates often land hours after a disclosure.

They are complementary on the same axis (ZAP = deep crawl/attack, Nuclei = broad known-issue templating), so both run.

Authorization

Only scan applications you own or are explicitly authorized to test. ZAP's full scan actively attacks the target.

Core Workflow (drive to zero)

1. Start the app locally (e.g. on http://localhost:3000).
2. Scan:

   ~/.claude/skills/dast-runtime/scripts/scan.sh http://localhost:3000
   

   • Passive + spider by default (safe, zap-baseline.py).
   • ZAP_FULL=1 scan.sh <url> runs the active attack (zap-full-scan.py).
   • For an API, pass the OpenAPI spec URL as the 2nd argument → scan.sh <base-url> http://localhost:3000/openapi.json (uses zap-api-scan.py).
3. Fix each alert at the source: add the missing header, parameterize the query, fix the auth check, upgrade the vulnerable component Nuclei flags.
4. Re-run until RESULT: PASS.

Notes

• localhost/127.0.0.1 in the URL are rewritten to host.docker.internal automatically so the scanner containers reach the host-published app.
• Nuclei templates are cached in the nuclei-templates Docker volume; they update on first use.
• ZAP exit codes: 0 = clean, 1 = fail, 2 = warnings — both non-zero outcomes drive the loop.

Resources

• scripts/scan.sh — runs ZAP (baseline/full/api) + Nuclei against a URL, host-network aware, exit 1 on findings. Env: ZAP_FULL.