Most modern web applications are a collection of both static and dynamic web pages.
A static website contains simple HTML pages and supporting files (e.g., Cascading Style Sheets (CSS), JavaScript (JS)) hosted on a web server. When a site visitor requests a static page, say, by clicking a link, selecting a browser bookmark, or entering a URL; the web server sends the page directly to the web browser without modifying the final content of the page.
A dynamic page displays different content for different users while retaining the same layout and design. Such pages, usually written in CGI, AJAX, ASP or ASP.NET, take more time to load than simple static pages. They’re frequently implemented to show information that changes frequently, e.g., weather updates or stock prices.
Dynamic pages usually contain application programs for different services and require server-side resources like databases. A database allows the page creator to separate the website’s design from the content to be displayed to users. Once they upload content into the database, it is retrieved by the website in response to a user request.
Client-side Scripting: A web page that changes in response to an action within it (“client-side event”) uses client-side scripting. These scripts generate “client-side content” on the user’s computer, rather than the web server.
Server-side Scripting: A web page that changes when it’s loaded or visited, or based on what’s submitted to it, uses server-side scripting. When the pages are loaded, server-side content is generated. Examples include login pages, shopping carts and submission forms.
When the web server receives a user request for a dynamic page, it does not send the page directly to the requesting browser as it would do with a static page. Instead, it passes the page to the application server which then completes three activities:
Read the code on the page
Finish the page according to the code’s instructions
Remove the code from the page
This results in a static page that’s passed back to the web server by the application server, and then to the requesting browser for display.
The application server cannot communicate directly with the database, so it requires a database driver that functions as an interpreter and lets the application read and manipulate data that would otherwise be indecipherable.
Although dynamic web pages are useful for many types of websites, they can cause difficulties for application security testing teams.
For one, developers struggle to find a consistent form of communication with the different system components, which makes it difficult to do automated testing. This results in extra manual effort, and extra costs in tester resources.
Next, since the client and server are closely coupled, it’s difficult to develop, test and deploy them independently. This also poses another issue: more code in one place, which means more clutter, and a higher risk of “spaghetti code”, i.e., code that’s unstructured, convoluted, and difficult to maintain. Furthermore, since server programming and client programming require different approaches, several developers end up working on one codebase, which leads to chaos, not only during development but also during testing.
Finally, dynamic web pages require more in-depth fuzzing and manual testing to understand how untrusted user inputs can enable unauthorized access, and affect back-end operations. For example, a bad actor may execute a command injection attack to execute arbitrary commands on the host operating system via a vulnerable web application. Such attacks are possible when the application passes unsafe user-supplied data, say through forms, which are very common in dynamic web pages. Similarly, a threat actor may execute an SQL injection attack by inserting an SQL query via the input data from the client to the application. Such exploits can read or modify the dynamic site’s database, execute administration operations on it, and in some cases issue commands to the operating system. All of these are real security challenges with dynamic web pages which cannot be adequately identified or addressed with automated testing or vulnerability scanning.
We hope we have adequately answered your question: what is a dynamic web page? Although useful, dynamic pages are not free of problems, particularly for testing. We have highlighted some of these challenges in this article.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
© 2024 Packetlabs. All rights reserved.