Abstract: Disclosed is an operation method for a dynamic analyzer for analyzing an execution state of a web application. The present invention comprises the steps of: analyzing an execution state of the web application on the basis of a final attack string including a parameter which indicates a particular operation to be executed through the web application; and performing an analysis of the execution state of the web application, wherein the final attack string is generated so as to avoid filtering logic which is designed to filter a raw attack string including a predefined parameter. Therefore, the present invention can detect a security vulnerability, which cannot be detected by the existing dynamic analyzer, through easy generation of a final attack string capable of bypassing filtering.

Abstract: Disclosed is an operation method for a dynamic analyzer for analyzing an execution state of a web application. The present invention comprises the steps of: analyzing an execution state of the web application on the basis of a final attack string including a parameter which indicates a particular operation to be executed through the web application; and performing an analysis of the execution state of the web application, wherein the final attack string is generated so as to avoid filtering logic which is designed to filter a raw attack string including a predefined parameter. Therefore, the present invention can detect a security vulnerability, which cannot be detected by the existing dynamic analyzer, through easy generation of a final attack string capable of bypassing filtering.

Abstract: Disclosed is an application program analysis apparatus comprising a first analyzer performing a dynamic analysis on an application program and extracting a method call graph, a model-view-controller (MVC) information extractor extracting MVC information from the method call graph, and a second analyzer generating an extended call graph by extending the method call graph based on the MVC information, the extended call graph being applied to an analysis of a source code of the application program. Using the application program analysis apparatus, it is made possible to analyze an application program using an MVC pattern, which has been difficult to analyze through the conventional static analysis, thereby complementing the security vulnerability of the static analysis.