What type of security testing occurs when a scanner crawls a web page to gather HTTP GET responses?

The correct choice describes passive Dynamic Application Security Testing (DAST), which involves the scanning of a web application by crawling its pages and collecting data from the HTTP GET responses. In passive DAST, the scanner observes the application as it operates without actively probing it for vulnerabilities. This means that it identifies potential security issues based solely on the responses received from the application while monitoring its behavior during normal use, rather than sending crafted payloads or manipulating requests.

Passive DAST is advantageous because it minimizes the risk of disrupting the application or causing unintended side effects, making it a less intrusive method of security testing. It helps in assessing the security posture while allowing for analysis without altering the application's state.

While the other types of DAST involve either static analysis of code or active engagement with the application through testing that includes sending deliberate requests to find vulnerabilities, passive DAST relies on gathering information from the natural operation of the application. This is why the choice of passive DAST accurately fits the scenario described in the question.