Most modern web applications are a collection of both static and dynamic web pages. A static website contains simple HTML pages and supporting files (e.g., Cascading Style Sheets (CSS), JavaScript (JS)) hosted on a web server. When a site visitor requests a static page, say, by clicking a link, selecting a browser bookmark, or entering a URL; the web server sends the page directly to the web browser without modifying the final content of the page.

And what is a dynamic web page?

This brief blog will answer this question. It will also explain why dynamic pages require in-depth fuzzing and manual testing to secure and protect them from threat actors.

What is a Dynamic Web Page?

A dynamic page displays different content for different users while retaining the same layout and design. Such pages, usually written in CGI, AJAX, ASP or ASP.NET, take more time to load than simple static pages. They’re frequently implemented to show information that changes frequently, e.g., weather updates or stock prices.

Dynamic pages usually contain application programs for different services and require server-side resources like databases. A database allows the page creator to separate the website’s design from the content to be displayed to users. Once they upload content into the database, it is retrieved by the website in response to a user request.

Two Types of Dynamic Web Pages

  • Client-side Scripting: A web page that changes in response to an action within it (“client-side event”) uses client-side scripting. These scripts generate “client-side content” on the user’s computer, rather than the webserver.
  • Server-side Scripting: A web page that changes when it’s loaded or visited, or based on what’s submitted to it, uses server-side scripting. When the pages are loaded, server-side content is generated. Examples include login pages, shopping carts and submission forms.

How are Dynamic Web Pages Processed?

When the webserver receives a user request for a dynamic page, it does not send the page directly to the requesting browser as it would do with a static page. Instead, it passes the page to the application server which then completes three activities:

  • Read the code on the page
  • Finish the page according to the code’s instructions
  • Remove the code from the page

This results in a static page that’s passed back to the web server by the application server, and then to the requesting browser for display.

The application server cannot communicate directly with the database, so it requires a database driver that functions as an interpreter and lets the application read and manipulate data that would otherwise be indecipherable.

Dynamic Web Pages and the Need for In-depth Fuzzing and Manual Testing

Although dynamic web pages are useful for many types of websites, they can cause difficulties for application security testing teams.

For one, developers struggle to find a consistent form of communication with the different system components, which makes it difficult to do automated testing. This results in extra manual effort, and extra costs in tester resources.

Next, since the client and server are closely coupled, it’s difficult to develop, test and deploy them independently. This also poses another issue: more code in one place, which means more clutter, and a higher risk of “spaghetti code”, i.e., code that’s unstructured, convoluted, and difficult to maintain. Furthermore, since server programming and client programming require different approaches, several developers end up working on one codebase, which leads to chaos, not only during development but also during testing.

Finally, dynamic web pages require more in-depth fuzzing and manual testing to understand how untrusted user inputs can enable unauthorized access, and affect back-end operations. For example, a bad actor may execute a command injection attack to execute arbitrary commands on the host operating system via a vulnerable web application. Such attacks are possible when the application passes unsafe user-supplied data, say through forms, which are very common in dynamic web pages. Similarly, a threat actor may execute an SQL injection attack by inserting an SQL query via the input data from the client to the application. Such exploits can read or modify the dynamic site’s database, execute administration operations on it, and in some cases issue commands to the operating system. All of these are real security challenges with dynamic web pages which cannot be adequately identified or addressed with automated testing or vulnerability scanning.

Conclusion

We hope we have adequately answered your question: what is a dynamic web page? Although useful, dynamic pages are not free of problems, particularly for testing. We have highlighted some of these challenges in this article.

Explore Packetlabs’ web application security testing service or click here to learn more about application security testing pricing [link to article]. To schedule application security testing for your organization, fill out this quick form, and an authorized Packetlabs representative will contact you within 24 hours.