What is dynamic web page for VAPT

This article explains the difference between a static and dynamic web page, mainly from vulnerability assessment and penetration testing perspective.

From vulnerability assessment perspective, a dynamic page is of two types. In first case consider a page that needs user to login, and fill up some data and submit it to server. While in the other type, the user may not be required to login, but the page accepts the data which is sent to the backend server.

This is irrespective of the backend programming platform that is used , for ex. .Net or java or node-js etc. This is because, a VAPT is a hacker’s approach to perform attacks via what is seen in the browser. Any page that has some element to accept data from user is a dynamic page. To illustrate further, if a page has html forms, or input fields or even simple query string parameters that can be manipulate, is to be treated as a dynamic page.

Dynamic pages usually contain application programs for different services and require server-side resources like databases. A database allows the page creator to separate the website’s design from the content to be displayed to users. Once they upload content into the database, it is retrieved by the website in response to a user request.

Any page that is generated by varying data that was obtained from backend data, or a content management system, are examples of dynamic pages.

Just to explain better, a static page is one that is pure html and has multiple weblinks but no form or web elements that accept user inputs, or can be manipulated. This is the main difference between static and dynamic pages.