Dynamic Application Security Testing

DAST that finds what your team would, on a schedule it can keep.

WASViking® runs deep deterministic engines against your live web applications and APIs. 17 analyzers, 11 injection classes consolidated in one scanner, an authenticated session that all analyzers reuse, and an OAST collaborator we own.

Start free trial See modern API coverage
17 analyzers 11 injection classes Proprietary OAST Shared form-login session Environment Profile aware
External DAST
What the engine actually does

Deep, deterministic, calibrated. Not a checklist scanner.

Every dynamic analyzer reads the per-host Environment Profile, so SQLi payloads adapt to the detected DBMS, XSS adapts to SPA rendering, and JWT adapts to JWKS placement. The result is fewer false positives and findings that hold up under engineering review.

SQLi

Five techniques across seven injection points. DBMS fingerprinting feeds payload selection. Per-finding evidence with raw HTTP transcript.

XSS

Reflected, stored, and DOM. SPA-aware via Playwright. Auth-context propagation so authenticated XSS does not look like unauthenticated noise.

JWT advanced

Alg confusion, weak secret recovery, JWKS proprietary-path discovery, form-login JWT auto-discovery, raw claim visibility under contract.

InjectionClass · 11 detectors

SSRF, CmdInj, Path Traversal/LFI, SSTI, Open Redirect, XXE, Insecure Deserialization, CRLF, RFI, IDOR, Race Conditions. One analyzer, shared context, shared OAST collaborator.

Component detection

Cloud-side fingerprint of frameworks, CMS, and libraries. Enriched with OSV.dev and CISA KEV. Pairs with premise-side SBOM for the full picture.

Sensitive files & headers

Soft-404 calibration with three canary shapes, content-type gating, per-kind positive fingerprints. OWASP header analyzer with severity calibration.

Authenticated scanning

One form-login session. Every analyzer reuses it.

A shared form-login session is published through a ContextVar so SQLi, XSS, JWT, GraphQL, and InjectionClass all consume the same authenticated cookies. No anti-brute-force lockout. No per-scanner login glue.

  • AI Form Login Autofill detects login selectors via LLM, with Playwright SPA fallback
  • 5-verdict compatibility classifier (compatible, captcha, SPA, multi-step, uncertain) recommends Form Login vs Bearer/Cookie
  • Basic, Bearer, Header, Cookie modes carried through every request via ContextVar
  • Validated on DVWA and canonical SPA test targets
Shared session

From login to scan, in one breath.

Operator selects Form Login. WASViking detects the selectors, classifies compatibility, authenticates once, and broadcasts the session to every analyzer enabled in the scan profile.

Blind-class detection

Our own OAST collaborator. Not a third party you cannot operate.

Blind SSRF, blind XXE, blind RFI, blind SSTI, and blind CmdInj rely on an out-of-band collaborator. Most automated DAST products either skip these classes or rent a third-party service. WASViking ships its own catcher at /oast/<token>/, persists interactions in MongoDB, and feeds them back into the InjectionClassScanner.

  • Per-scan token, single-tenant correlation
  • HTTP and DNS interactions captured
  • Native integration with InjectionClassScanner
  • No third-party data leaving your tenant
Blind SSRF in action
POST /api/import { url: "https://<token>.oast.wasviking.com/probe" }
[oast] interaction received from target IP
[InjectionClass] blind_ssrf confirmed
severity: high · cwe: CWE-918

See WASViking® on your own stack.

Start a 14-day trial or talk to our team about an enterprise evaluation. No credit card required for the trial.

Start free trial Talk to sales