Dynamic Analysis

  • Dynamic Analysis, or Black Box Testing, is the analysis of computer software by executing testing programs in a run-time environment
  • The use of dynamic analysis for Web applications will help identifying security issues before hackers can exploit them. 
  • To initiate the test, make a request to the website.
  • Unlike static analysis, dynamic analysis doesn't have access to the source code and therefore detect vulnerabilities by actually performing authorized attacks.
  • There are two types of dynamic analysis for web applications: Web Application Vulnerability Scan (WAVS) and Web Application Penetration Test (WAPT).


  • WAVS is set to find vulnerabilities in Web applications; WAPT not only verifies the existence and exploitability of potential vulnerabilities, but also assesses the overall security of a Web application by attempting to compromise it using attacker techniques.
  • WAVS identifies the problems which may have already occurred rather than evaluating against a real attack like WAPT does.
  • WAPT is active in that it is able to attack a system and measure its readiness. WAVS, on the other hand, is passive because it does not address the implications of a successful intrusion and only lists what the potential vulnerabilities may be without probing deeper to reveal the true threat to assets. 

WAVS Tools

  • Many WAVS tools exist to analyze Web vulnerabilities with a GUI, a spider, a scanner, and an up-to-date vulnerabilities database.
  • View a list of commercial WAVS tools, Software-as-a-Service WAVS providers, free/open source WAVS tools at WASC.
  • View a list of website security scanning tools at
  • View WASC's Web Application Security Scanner Evaluation Criteria
  • Demo

WAPT Tools

  • A common security frame used by WAPT is the OWASP's Top Ten issues.
  • View an example video at
  • OWASP's Web application penetration project. It's Testing Guide lists typical testings as follows:
    • Identity Management Testing
    • Authentication Testing
    • Authorization Testing
    • Session Management Testing
    • Input Validation Testing
    • Testing for Error Handling
    • Testing for weak Cryptography
    • Business Logic Testing
    • Client Side Testing
  • Firefox has many plugins specifically designed for web application penetration testing.