Dynamic Application Security Testing
Scan your running application, not just your code. Enhanced with continuously updated CVE intelligence covering 12,000+ checks, VEXLIT's DAST engine detects runtime vulnerabilities that static analysis cannot find.
12,000+
CVE & vulnerability checks
11+
Intelligent active checks
Real-time
Scan diff tracking
How It Works
DAST works by scanning your live website from the outside, just like an attacker would.
1. Verify Domain Ownership
Register your root domain and verify ownership via DNS TXT record, HTML file, or meta tag. This ensures you can only scan domains you own.
2. Choose Scan Type
Passive scan checks security headers, cookies, SSL, and exposed files. Active scan additionally crawls your site, discovers forms and parameters, and tests for XSS, SQL Injection, SSRF, and more.
3. Review Results
Each finding includes severity, confidence score, detailed evidence, and remediation guidance. Scan Diff shows what's new, fixed, or unchanged since the previous scan.
Where to Find DAST
DAST scanning is available in the Team dashboard under the Domains tab.
- 1.Dashboard → Teams → Select your team → Domains tab
- 2.Add a domain → Verify ownership → Run passive or active scan
- 3.Configure authentication and scheduled scans in the domain settings
Domain Verification
Before scanning, you must verify ownership of your domain. This is a security requirement to prevent unauthorized scanning of websites you don't own.
DNS TXT Record
Add a TXT record to _vexlit.yourdomain.com with the provided verification token. This is the recommended method — works with any hosting provider.
HTML File
Upload an HTML file with the verification token to your website root. The file must be accessible at https://yourdomain.com/{token}.html.
Meta Tag
Add a <meta name="vexlit-verification"> tag to your homepage's <head> section with the provided token.
- •Root domain verification covers all subdomains (e.g., verifying example.com covers api.example.com)
- •Verification expires after 90 days and is automatically re-verified via DNS
- •Only team admins can add and verify domains
Passive Scan
Passive scanning analyzes HTTP responses without modifying requests. Safe to run anytime — no risk to your application.
Security Headers
Checks for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
Cookie Security
Verifies Secure, HttpOnly, and SameSite flags on all cookies.
SSL/TLS
Checks certificate expiry, TLS version (flags TLS 1.0/1.1), and configuration issues.
CORS Configuration
Detects overly permissive Access-Control-Allow-Origin settings.
Information Disclosure
Finds exposed .env files, .git directories, server version headers, and technology disclosure.
Active Scan
Active scanning crawls your website, discovers endpoints, and tests for vulnerabilities by sending carefully crafted requests. Rate-limited to protect your application.
Injection Attacks
Tests for SQL Injection (error-based and time-based), Command Injection, Server-Side Template Injection (SSTI), and XPath Injection.
Cross-Site Scripting (XSS)
Detects reflected XSS in URL parameters and form fields by injecting safe test payloads.
Access Control
Tests for SSRF (Server-Side Request Forgery), IDOR (Insecure Direct Object Reference), Open Redirect, and Path Traversal.
Configuration
Checks CORS origin reflection, HTTP method tampering (TRACE/PUT/DELETE), and directory listing exposure.
CVE Detection
Powered by 12,000+ Nuclei community templates, covering known CVEs, default credentials, and common misconfigurations.
Authenticated Scanning
Scan pages behind login walls by configuring authentication credentials.
Form POST Login
For traditional login forms (WordPress, Django, Rails, etc.). Provide the login URL, field names, and credentials.
JSON API Login
For REST API authentication (Supabase, Firebase, custom APIs). Provide the endpoint, field names, credentials, and the token path in the response.
Cookie Direct
For OAuth or SSO-based sites. Copy session cookies from your browser DevTools and paste them directly.
Authentication credentials are encrypted at rest. The scanner uses them only during the scan to obtain a session, then crawls authenticated pages.
Scheduled Scans
Configure automatic recurring scans to continuously monitor your domain for new vulnerabilities.
- ⏱Daily — Run every 24 hours
- ⏱Weekly — Run every 7 days
- ⏱Monthly — Run every 30 days
Each scheduled scan automatically compares results with the previous scan, showing new, fixed, and unchanged findings via Scan Diff.
See What Changed Since Last Scan
Every scan is automatically compared against the previous one. Instantly see new vulnerabilities, confirmed fixes, and unchanged issues — no manual tracking needed.
- ●New — vulnerability not present in the previous scan
- ●Fixed — vulnerability was present before but is now resolved
- ●Unchanged — vulnerability persists from the previous scan
Confidence Scores
Each finding includes a confidence score indicating detection reliability.
- ●High — direct evidence (error messages, reflected payloads, file content)
- ●Medium — indirect evidence (timing anomalies, response differences)
- ●Low — heuristic detection (structural patterns, potential issues)
OpenAPI / Swagger Scanning
Provide a Swagger or OpenAPI spec URL to scan your API endpoints directly — no crawling needed.
→Supports OpenAPI 3.x and Swagger 2.0 specs
→Automatically extracts endpoints, methods, and parameters
→Runs all active checks (XSS, SQLi, SSRF, etc.) against each endpoint
→Reuses your authentication config (cookie or Bearer token)
Plan Access
DAST scanning is available on Team plan and above. All scan types require domain verification.
| Feature | Free/Pro | Team | Enterprise |
|---|---|---|---|
| Passive scanning | — | ✓ | ✓ |
| Active scanning | — | ✓ | ✓ |
| API scanning (OpenAPI) | — | ✓ | ✓ |
| Verified domains | 0 | 5 | Unlimited |
| Scans per month | 0 | 30/mo | Unlimited |
| Scheduled scans | — | ✓ | ✓ |
Safety & Compliance
VEXLIT DAST is designed to be safe for production environments.
- ✓Domain verification required — you can only scan sites you own
- ✓Rate-limited requests — protects your application from overload
- ✓robots.txt respected — honors crawl restrictions
- ✓Internal IP blocking — prevents scanning private networks (127.x, 10.x, 192.168.x)
- ✓No destructive tests — DoS and brute force payloads are excluded
- ✓Auto-pause on 429 — respects rate limit responses