A number of businesses maintain an online presence and conduct much of their commerce and business operations using the Web. Often times, the businesses engage aspects of the Web known as Web 2.0, which may refer to information sharing across the Web where the Web is viewed as a platform for user centered design. Having a secure web page is one technique to ensure that businesses maintain the integrity of their online data and continue to function properly on the Web and Web 2.0. Consequently, web page security is routinely validated.
Manual penetration testing is one technique of security validation. In manual penetration testing, an attack from a malicious source is simulated on a web page. An attack typically includes inserting malicious code into communications with the web page. A user may manually analyze the web site for vulnerabilities that have been exposed through the attack. However, many web pages are quite large and extensive, so vulnerabilities can be missed during a manual analysis. Additionally, web site administrators may be unaware of some applications residing on various web pages throughout a network, and vulnerabilities related to those applications may be missed as well. Further, business processes can be hard to test, and source code may not be fully covered by a manual attack, allowing for more missed vulnerabilities.
Alternatively, a transport level attack mechanism may be used to test for vulnerabilities. The transport level attacks may be created by enclosing various parameters within a web request, including attack code. The request may be sent to the server for processing. A vulnerability may be found, based on the attack, if the server responds to the request in a manner expected when such a vulnerability is present.
A crawl and audit technique may also be used to discover vulnerabilities, and is typically used by working statically with each link resulting in a request to and a response from the server. Additionally, the crawl and audit technique is performed automatically, without user interaction or the aid of a web browser. User traffic is not recorded, therefore no authentication data is available to access Web 2.0 applications.