Most web applications nowadays are a combination of dynamic and static web pages. A static web page consists of simple HTML pages together with supporting files (e.g. JavaScript (JS) and Cascading Style Sheets (CSS)) that are hosted on a web server. When a site visitor wants to visit a static website by, for example, entering a URL, selecting a bookmark in their browser, or clicking on a link, the web server sends the page to the web browser directly without changing the page’s final content.
Dynamic web pages work differently, and in this article, we’ll answer the question, “What is a dynamic web page? And dive into the details of how they operate. We will also explain why dynamic pages need manual testing and in-depth fuzzing to protect and secure them from external threats.
Dynamic Web Pages Explained
Dynamic web pages display different content for various users but retain the same design and layout. They are typically written in AJAX, CGI, ASP.NET, or ASP, and this type of page takes longer to load than a simple static page. They’re often used to show information that frequently changes, e.g., stock prices or weather updates.
Dynamic pages generally require server-side databases and contain application programs for different services. The database enables the page creator to separate the content displayed to users from the website’s design elements. Once content has been loaded into the database, the website retrieves it when responding to user requests.
Dynamic Web Page Types
● Server-side Scripting:
This type of web page changes when it’s visited or loaded or based on the information submitted to it. Server-side content is generated when the pages are loaded. Examples include submission forms, shopping carts, and login pages.
● Client-side Scripting:
This type of web page changes when it responds to action within it (“client-side event”). Rather than generate content on the webserver, the scripts generate “client-side content” on the user’s computer.
Dynamic Web Page Processing
When a web server receives a request for a dynamic page, it doesn’t send the page to the requesting browser directly as it would do with static pages but sends the page to the application server, where three activities are then completed:
● The code on the page is read.
● Use the code’s instructions to complete the page
● The code is then removed from the page.
This is a static page that the application server then sends back to the web server, which passes it on to the requesting browser for display.
As the application server can’t communicate with the database directly, it needs a database driver that serves as an interpreter and allows the application to manipulate and read data that would otherwise be inaccessible.
The Need for Manual Testing and In-depth Fuzzing in Dynamic Web Pages
Although dynamic web pages are used for many types of websites, they may cause application security testing professionals problems.
The first issue is that developers have difficulties finding a consistent form of communication with the different components in the system, which makes it challenging to automate testing. This leads to additional manual testing and extra costs for tester resources.
The next challenge is caused by the client and server being closely coupled, making developing, testing, and deploying them independently challenging. This also leads to another problem. As there is more code in a single place, this could mean more clutter and a higher chance of “spaghetti code”, i.e., convoluted and unstructured code, making it very difficult to maintain. As client and server and programming need very different approaches, numerous developers often end up working on the same codebase, leading to chaos during development and testing.
Dynamic web pages also need more manual testing and in-depth fuzzing to understand how unexpected user inputs can affect back-end operations or enable unauthorized access. A hacker may, for example, launch a command injection attack via a vulnerable web application to execute arbitrary commands on the host operating system.
This type of attack is possible when an application passes unsafe user-supplied data via forms, a common element in dynamic web pages. A hacker may also launch an SQL injection attack by inserting SQL queries via the client’s input data to the application. This type of exploit can modify or read the dynamic site’s database, perform admin operations on it, and sometimes issue commands to the operating system. With dynamic web pages, these real security challenges can’t be identified or addressed adequately with vulnerability scanning or automated testing.
Conclusion
Dynamic web pages are beneficial and play a crucial role in enhanced user experiences. They do present their own set of problems, especially for testing.
