Include fuzzy testing in DAST
Problem to solve
DAST provides attacks against applications at runtime. This is done via HTTP requests that try to spot vulnerabilities that are not discovered by static analysis.
Fuzzy testing increase chances to get results by using arbitrary payloads instead of well-known ones. This allows to trigger uncommon and specific paths and increase the attack surface.
ZAP (the tool we currently use for DAST) can be used as a fuzzer.
Add fuzzy testing funcionalities to our DAST tool.
Specifically for ZAP, analyze if the existing module can be enabled and which are the requirements (probably active test mode).
We also need to evaluate which is the running time, since fuzzing could be very time consuming.
What does success look like, and how can we measure that?
DAST reports more vulnerabilities because of fuzzy testing.