Dr. Drew Hwang, CIS, Cal Poly Pomona
Secure Web Development
Online Stores Case
Black Box Testing
, is the analysis of computer software by executing testing programs in a
The use of dynamic analysis for Web applications will help identifying security issues before hackers can exploit them.
To initiate the test, make a request to the website.
Unlike static analysis, dynamic analysis doesn't have access to the source code and therefore detect vulnerabilities by actually performing
There are two types of dynamic analysis for web applications:
Web Application Vulnerability Scan
Web Application Penetration Test
WAVS vs. WAPT
WAVS is set to find vulnerabilities in Web applications; WAPT not only verifies the existence and exploitability of potential vulnerabilities, but also assesses the overall security of a Web application by attempting to compromise it using attacker techniques.
WAVS identifies the problems which may have already occurred rather than evaluating against a real attack like WAPT does.
in that it is able to attack a system and measure its readiness. WAVS, on the other hand, is
because it does not address the implications of a successful intrusion and only lists what the potential vulnerabilities may be without probing deeper to reveal the true threat to assets.
Many WAVS tools exist to analyze Web vulnerabilities with a
, and an up-to-date
View a list of commercial WAVS tools, Software-as-a-Service WAVS providers, free/open source WAVS tools at
View a list of website security scanning tools at
Web Application Security Scanner Evaluation Criteria
A common security frame used by WAPT is the OWASP's Top Ten issues.
View an example video at
OWASP's Web application penetration project
lists typical testings as follows:
Identity Management Testing
Session Management Testing
Input Validation Testing
Testing for Error Handling
Testing for weak Cryptography
Business Logic Testing
Client Side Testing
specifically designed for web application penetration testing.