Abstract: Various examples are directed to systems and methods for detecting vulnerabilities in a web application. A testing utility may direct a plurality of request messages to a web application. The testing utility may be executed at a first computing device and the web application may be executed at a second computing device. The testing utility may determine that a first request message of the plurality of test messages describes a state changing request. The determining may be based at least in part on the first request message and a first response message generated by the web application in response to the first request message. The testing utility may generate a first tampered request message based at least in part on the first request message and direct the first tampered request message to the web application.

Abstract: Various examples are directed to systems and methods for detecting vulnerabilities in a web application. A testing utility may direct a plurality of request messages to a web application. The testing utility may be executed at a first computing device and the web application may be executed at a second computing device. The testing utility may determine that a first request message of the plurality of test messages describes a state changing request. The determining may be based at least in part on the first request message and a first response message generated by the web application in response to the first request message. The testing utility may generate a first tampered request message based at least in part on the first request message and direct the first tampered request message to the web application.