Babysitter dast-scanner

Dynamic Application Security Testing execution and management. Configure and execute OWASP ZAP and Nuclei scans, run authenticated scanning, manage scan policies and scope, correlate findings with SAST results, and generate comprehensive vulnerability reports.

install

source · Clone the upstream repo

git clone https://github.com/a5c-ai/babysitter

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/a5c-ai/babysitter "$T" && mkdir -p ~/.claude/skills && cp -r "$T/library/specializations/security-compliance/skills/dast-scanner" ~/.claude/skills/a5c-ai-babysitter-dast-scanner && rm -rf "$T"

manifest: library/specializations/security-compliance/skills/dast-scanner/SKILL.md

dast-scanner

You are dast-scanner - a specialized skill for Dynamic Application Security Testing (DAST) execution and management. This skill provides comprehensive capabilities for runtime vulnerability detection in web applications and APIs.

Overview

This skill enables AI-powered DAST including:

OWASP ZAP automated and manual scanning
Nuclei template-based vulnerability scanning
Authenticated scanning with session management
API security testing (REST, GraphQL, gRPC)
Scan policy configuration and scope management
SAST/DAST result correlation
Comprehensive vulnerability reporting

Prerequisites

Target application running and accessible
OWASP ZAP and/or Nuclei installed
Network access to target
Optional: Authentication credentials
Optional: API specifications (OpenAPI, GraphQL schema)

Capabilities

1. OWASP ZAP Scanning

Comprehensive web application security testing:

# Start ZAP daemon
docker run -u zap -p 8080:8080 -i ghcr.io/zaproxy/zaproxy:stable zap.sh -daemon \
  -host 0.0.0.0 -port 8080 -config api.disablekey=true

# Quick baseline scan
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
  -t https://target.example.com \
  -J report.json

# Full active scan
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
  -t https://target.example.com \
  -J full-report.json

# API scan with OpenAPI
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
  -t openapi.yaml \
  -f openapi \
  -J api-report.json

# Custom scan with ZAP CLI
zap-cli quick-scan https://target.example.com
zap-cli active-scan https://target.example.com
zap-cli report -o report.html -f html

ZAP Scan Policies

<!-- High-intensity scan policy -->
<scanPolicy>
  <name>high-intensity</name>
  <description>Comprehensive security scan</description>
  <attackStrength>INSANE</attackStrength>
  <alertThreshold>LOW</alertThreshold>
  <scanners>
    <scanner id="40012" enabled="true" attackStrength="HIGH"/> <!-- XSS -->
    <scanner id="40018" enabled="true" attackStrength="INSANE"/> <!-- SQLi -->
    <scanner id="90019" enabled="true" attackStrength="HIGH"/> <!-- SSI -->
    <scanner id="90020" enabled="true" attackStrength="INSANE"/> <!-- RCE -->
  </scanners>
</scanPolicy>

2. Nuclei Template Scanning

Fast template-based vulnerability detection:

# Update templates
nuclei -update-templates

# Basic scan
nuclei -target https://target.example.com -json -output nuclei-results.json

# Scan with specific templates
nuclei -target https://target.example.com \
  -templates cves/ \
  -templates vulnerabilities/ \
  -json -output nuclei-results.json

# Scan with severity filter
nuclei -target https://target.example.com \
  -severity critical,high \
  -json -output nuclei-critical.json

# Scan multiple targets
nuclei -list targets.txt \
  -severity critical,high,medium \
  -json -output nuclei-results.json

# Scan with tags
nuclei -target https://target.example.com \
  -tags owasp,cve,xss,sqli \
  -json -output nuclei-owasp.json

# Scan with rate limiting
nuclei -target https://target.example.com \
  -rate-limit 50 \
  -concurrency 10 \
  -json -output nuclei-results.json

# Headless scanning for JS apps
nuclei -target https://target.example.com \
  -headless \
  -json -output nuclei-headless.json

Nuclei Template Categories

Category	Description	Templates
`cves/`	Known CVEs	5000+
`vulnerabilities/`	Generic vulnerabilities	500+
`exposures/`	Sensitive data exposure	300+
`misconfigurations/`	Security misconfigs	400+
`technologies/`	Technology detection	200+
`fuzzing/`	Fuzzing templates	100+

Custom Nuclei Template

# custom-templates/api-key-exposure.yaml
id: api-key-exposure

info:
  name: API Key Exposure Check
  author: security-team
  severity: high
  description: Checks for exposed API keys in responses
  tags: api,exposure,secrets

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/config"
      - "{{BaseURL}}/config.json"
      - "{{BaseURL}}/.env"

    matchers-condition: or
    matchers:
      - type: regex
        regex:
          - "api[_-]?key['\"]?\\s*[:=]\\s*['\"]?[a-zA-Z0-9]{20,}"
          - "secret[_-]?key['\"]?\\s*[:=]\\s*['\"]?[a-zA-Z0-9]{20,}"
        condition: or

    extractors:
      - type: regex
        regex:
          - "api[_-]?key['\"]?\\s*[:=]\\s*['\"]?([a-zA-Z0-9]{20,})"
        group: 1

3. Authenticated Scanning

ZAP Authentication

# Form-based authentication context
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
  -t https://target.example.com \
  -n context.context \
  -U authenticated-user \
  -J auth-report.json

# OAuth/Bearer token authentication
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
  -t openapi.yaml \
  -f openapi \
  -z "-config replacer.full_list(0).description=auth \
      -config replacer.full_list(0).enabled=true \
      -config replacer.full_list(0).matchtype=REQ_HEADER \
      -config replacer.full_list(0).matchstr=Authorization \
      -config replacer.full_list(0).replacement='Bearer $TOKEN'" \
  -J api-auth-report.json

ZAP Context File

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <context>
    <name>MyAppContext</name>
    <desc></desc>
    <inscope>true</inscope>
    <incregexes>https://target.example.com.*</incregexes>
    <excregexes>.*logout.*</excregexes>
    <tech>
      <include>Db.PostgreSQL</include>
      <include>Language.JavaScript</include>
      <include>OS.Linux</include>
    </tech>
    <authentication>
      <type>FormBasedAuthentication</type>
      <loggedin>\Qlogout\E</loggedin>
      <loggedout>\Qlogin\E</loggedout>
      <form>
        <loginurl>https://target.example.com/login</loginurl>
        <loginbody>username={%username%}&amp;password={%password%}</loginbody>
      </form>
    </authentication>
    <users>
      <user>
        <name>testuser</name>
        <credentials>username=testuser&amp;password=testpass</credentials>
      </user>
    </users>
  </context>
</configuration>

Nuclei with Authentication

# Cookie-based authentication
nuclei -target https://target.example.com \
  -header "Cookie: session=abc123" \
  -json -output nuclei-auth.json

# Bearer token authentication
nuclei -target https://target.example.com \
  -header "Authorization: Bearer $TOKEN" \
  -json -output nuclei-auth.json

# Custom headers file
nuclei -target https://target.example.com \
  -header-file headers.txt \
  -json -output nuclei-auth.json

4. API Security Testing

REST API Testing

# ZAP API scan with OpenAPI
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
  -t https://api.example.com/openapi.json \
  -f openapi \
  -J api-report.json

# Nuclei API scanning
nuclei -target https://api.example.com \
  -tags api \
  -json -output api-nuclei.json

GraphQL Testing

# ZAP GraphQL scan
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
  -t https://api.example.com/graphql \
  -f graphql \
  -J graphql-report.json

# Nuclei GraphQL templates
nuclei -target https://api.example.com/graphql \
  -tags graphql \
  -json -output graphql-nuclei.json

5. SAST/DAST Correlation

Correlate static and dynamic findings:

{
  "correlation_report": {
    "sast_findings": 45,
    "dast_findings": 28,
    "correlated": 12,
    "sast_only": 33,
    "dast_only": 16,
    "correlations": [
      {
        "vulnerability_type": "SQL Injection",
        "sast_finding": {
          "file": "src/api/users.py",
          "line": 42,
          "rule": "python.lang.security.audit.dangerous-sql"
        },
        "dast_finding": {
          "url": "https://api.example.com/users",
          "parameter": "id",
          "evidence": "SQL syntax error"
        },
        "confidence": "high",
        "recommendation": "Priority fix - confirmed vulnerable endpoint"
      }
    ]
  }
}

6. Scan Scope Management

# scan-scope.yaml
scope:
  includes:
    - "https://target.example.com/*"
    - "https://api.target.example.com/*"
  excludes:
    - "*/logout"
    - "*/signout"
    - "*delete*"
    - "*payment*"
    - "*/static/*"
    - "*/assets/*"

rate_limiting:
  requests_per_second: 20
  delay_between_requests_ms: 50
  max_concurrent_connections: 10

authentication:
  type: bearer
  token_refresh_url: "https://auth.example.com/token"
  token_header: "Authorization"
  token_prefix: "Bearer "

scan_policy:
  attack_strength: medium
  alert_threshold: low
  scanners:
    enabled:
      - sql-injection
      - xss-reflected
      - xss-stored
      - command-injection
      - path-traversal
    disabled:
      - format-string

MCP Server Integration

This skill can leverage the following MCP servers:

Server	Description	Installation
ZAP-MCP	AI-powered OWASP ZAP integration	GitHub
pentestMCP	20+ tools including ZAP, Nuclei	GitHub
HexStrike AI	150+ cybersecurity tools	GitHub
SecOpsAgentKit dast-zap	ZAP integration	GitHub
SecOpsAgentKit dast-nuclei	Nuclei integration	GitHub

Best Practices

Scanning Strategy

Passive first - Start with passive scanning
Scope carefully - Define clear boundaries
Rate limit - Respect target infrastructure
Authenticate - Test authenticated areas
Schedule wisely - Avoid peak hours

CI/CD Integration

# GitHub Actions
name: DAST Scan
on:
  schedule:
    - cron: '0 2 * * *'  # Nightly
  workflow_dispatch:

jobs:
  dast:
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Scan
        uses: zaproxy/action-full-scan@v0.8.0
        with:
          target: ${{ secrets.STAGING_URL }}
          allow_issue_writing: false

      - name: Nuclei Scan
        uses: projectdiscovery/nuclei-action@main
        with:
          target: ${{ secrets.STAGING_URL }}
          flags: "-severity critical,high -json"

Process Integration

This skill integrates with the following processes:

```
dast-scanning.js
```
- DAST pipeline integration
```
penetration-testing.js
```
- Pen testing workflow
```
devsecops-pipeline.js
```
- DevSecOps automation
```
vulnerability-management.js
```
- Vulnerability lifecycle

Output Format

When executing operations, provide structured output:

{
  "operation": "dast-scan",
  "status": "completed",
  "target": "https://target.example.com",
  "tools_used": ["zap", "nuclei"],
  "scan_duration_seconds": 2340,
  "summary": {
    "total_findings": 58,
    "by_severity": {
      "critical": 3,
      "high": 12,
      "medium": 25,
      "low": 18
    },
    "by_tool": {
      "zap": 42,
      "nuclei": 16
    },
    "by_category": {
      "injection": 8,
      "xss": 12,
      "misconfiguration": 15,
      "information_disclosure": 10,
      "authentication": 5,
      "other": 8
    }
  },
  "coverage": {
    "urls_scanned": 245,
    "endpoints_tested": 89,
    "parameters_tested": 312
  },
  "top_findings": [
    {
      "severity": "critical",
      "name": "SQL Injection",
      "url": "https://target.example.com/api/users",
      "parameter": "id",
      "tool": "zap",
      "cweid": "89",
      "wascid": "19"
    }
  ],
  "artifacts": ["zap-report.json", "nuclei-results.json", "combined-dast.html"]
}

Error Handling

Common Issues

Error	Cause	Resolution
`Connection timeout`	Target unreachable	Check network/firewall
`Authentication failed`	Invalid credentials	Verify auth config
`Rate limited`	Too aggressive	Reduce scan speed
`Scan interrupted`	Resource exhaustion	Increase resources

Constraints

Always obtain proper authorization before scanning
Never scan production without explicit approval
Configure appropriate rate limits
Exclude destructive actions from scope
Monitor target health during scans
Document all findings with evidence