Web applications consist of several different and interacting technologies. These interactions between different technologies can cause vast security problems. As organizations are taking their businesses online they make their systems accessible to the world. They might have a firewall in place and possibly even their web server is running an up-to-date version of its software but that is not enough to protect their resources. Web applications become integral part in our day today life. Recent studies proves that more than fifty percent of the cost of software development is expend towards for testing, even though the software web applications is not free from its critical issues. Vulnerabilities provides more critical outcome in web applications instead in various researches have been involved with major impact of vulnerabilities. Recently the web applications are tested with minimal parameters. The main objective of proposed work is to reduce the time consumption and high cost for software testing. And in this paper we also tell about other possible vulnerabilities and their control measures. Using static analysis the critical vulnerabilities are analyzed where the issues are arising in web applications. The critical vulnerabilities such as handling catch block, encrypted password, execution failure in exception handling and redirecting the values of parameter. Depends on the severity of the issues the vulnerabilities are classified with the solutions.

Alessandro Marchetto, ―Special section on testing and security of Web systems‖, International Journal of Software Tools Technology Transfer, 2008, pages 473–476.

Dejan Baca, ―Identifying Security Relevant Warnings from Static Code Analysis Tools through Code Tainting‖, proceedings by IEEE Xplore, International Conference on Availability, Reliability and Security 2010, pages 386-390.

Lei Wang, Qiang Zhang, PengChao Zhao, ―Automated Detection of Code Vulnerabilities Based on Program Analysis and Model Checking‖, proceedings by IEEE Xplore, 2008, pages 165-173.

Nuno Antunes, Marco Vieira, ―Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services‖, IEEE Xplore, 15th IEEE Pacific Rim International Symposium on Dependable Computing, 2009, pages 301-306.

Xinran Wang, Yoon-Chan Jhi, Sencun Zhu, Peng Liu, ―STILL: Exploit Code Detection via Static Taint and Initialization Analyses‖, proceedings by IEEE Xplore, Annual Computer Security Applications Conference, 2009, pages 289-298.

R. Plösch, H. Gruber, A. Hentschel, G. Pomberger, S. Schiffer, ―On the Relation between External Software Quality and Static Code Analysis‖, proceedings by IEEE Xplore, 32nd Annual IEEE Software Engineering Workshop, 2009, pages 169-174.

Kyung Cheol Choi and Gun Ho Lee, ―Automatic Test Approach of Web Application for Security (AutoInspect)‖, LNCS 3983, ICCSA, 2006, pages 659-668.

Zhongsheng Qian, ―User Session-Based Test Case Generation and Optimization Using Genetic Algorithm‖, Journal of Software Engineering & Applications, 2010, pages 541-547.

Andrea Adamoli, Dmitrijs Zaparanuks, Milan Jovic, Matthias Hauswirth, ―Automated GUI performance testing‖, Software Quality Journal, 2011, pages 1-39.

Anneliese A. Andrews, JeffOffutt, Roger T. Alexander, ―Testing Web applications by modeling with FSMs‖, Journal of System Software Model, Proceedings by Springer Verlag, 2005, pages 326-345.

Daniel Amyot, Jean-Fran¸ cois Roy, and Michael Weiss, ―UCM-Driven Testing of Web Applications‖, Springer-Verlag Berlin Heidelberg 2005, pages 247-264.

Kinga Dobolyi, Elizabeth Soechting, Westley Weimer, ―Automating regression testing using web-based application similarities‖, International Journal of Software Tools Technology Transfer, 2011, pages 111 to 129.

―Vulnerabilities management for dummies‖ by Qualys Edition

―Web application Security for dummies‖ by Qualys Edition

http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html

http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html

https://www.owasp.org/index.php/Fuzzing

http://www.computerweekly.com/tip/Cross-site-scripting-explained-How-to-prevent-XSS-attacks

, E. , Spain, Alcaide, A.; Orfila, A.; Blasco, J.,proceedings by IEEE Xplorer Internet Technology and Secured Transactions (ICITST), 2010 International Confererence,pages 1-6

D. Aucsmith. Creating and Maintaining Software that Resi Sts Malicious Attack. http://www.gtisc.gatech.edu/bio aucsmith.html ,September 2004. Distinguished Lecture Series

T. O. Foundation. Top Ten Most Critical Web ApplicationVulnerabilities, 2005. http://www.owasp.org/documentation/topten.html.

.V. William G.J.Halfond and A.Orso, ―A Classification of SQL injection attacks and countermeasures‖ ISSSE 2006 –March 14th, 2006.

C. Anley, ―Advanced SQL Injection in

SQL server Application‖, Technical Report, NGSSoftware Insight Security Research (NISR) 2002.

Rahul Shrivastava, Joy Bhattacharyji,Roopali Soni ―SQL INJECTION ATTACKS IN DATABASE USING WEB SERVICE: DETECTION AND PREVENTION –REVIEW‖ Asian Journal Of Computer Science And Information Technology 2: 6 (2012) 162–165

Huang, Y., Yu, F., Hang, C., Tsai, C., Lee, D., Kuo, S.: Securing Web Application Code by Static Analysis and Runtime Protection. In: Di Nitto, E., Murphy, A.L. (eds.) 13th international conference on World Wide Web, pp. 40--52. ACM, New York (2004)

Boyd, S., Keromytis, A.: SQLrand: Preventing SQL Injection Attacks. In: Nagel, W.E., Walter, W.V., Lehner, W. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292--304. Springer, Heidelberg (2004)

Buehrer, G., Weide, B.W., Sivilotti, P.A.: Using Parse Tree Validation to Prevent SQL Injection Attacks. In: Di Nitto, E., Murphy, A.L. (eds.) 5th International Workshop on Software Engineering and Middleware, pp. 106--113. ACM, New York (2005)

Halfond, W., Orso, A.: Preventing SQL Injection Attacks Using AMNESIA. In: Di Nitto, E., Murphy, A.L. (eds.) 28th ACM/IEEE International Conference on Software Engineering, pp. 795--798. ACM, New York (2006)

Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. ACM SIGPLAN Notice 41, 1, 372--382

Janot, E.: SQLDOM4J: Preventing SQL Injections in Object-Oriented Applications. Master thesis, Concordia University College of Alberta (2008),http://waziboo.com/thesis .

Kost, S., Kanter, J.: Evading Network-Based Oracle Database Intrusion Detection Systems, http://www.integrigy.com/security-resources/whitepapers/Integrigy_Evading_Oracle_IDS.pdf.

Application Security Inc. DbProtect, http://www.appsecinc.com/products/dbprotect.

Ristic, I.: Web Application Firewalls: When Are They Useful?. OWASP AppSec Europe 2006,http://owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_When AeTheyUseful.ppt.