This paper proposes an approach to automated website vulnerability detection based on the combination of static and dynamic analysis within a modular scanner architecture. The motivation for this study arises from the growing number of parameterized URLs in modern web applications and, as a consequence, redundant crawling and the high cost of multi-variant testing under limited time and resource budgets in DevSecOps/CI/CD scenarios. The proposed approach is built on a two-stage pipeline: preliminary static analysis of a web resource, which includes sitemap construction by a crawler with depth control, extraction of endpoints, parameters, and input forms, as well as URL template normalization through the generalization of dynamic identifiers; and dynamic vulnerability testing for a normalized set of test points with parallel execution of isolated checks and aggregation of results into machine-readable formats. Quality and performance evaluation metrics are proposed, including precision/recall, the request reduction ratio, and throughput, which enable quantitative assessment of the impact of preliminary normalization and the efficiency of multithreaded processing. The implementation is realized as a Java-based CLI utility with a plugin-based testing model, facilitating extensibility for new vulnerability classes without modification of the core system. Experimental validation was conducted using benchmark vulnerable applications OWASP Juice Shop and OWASP WebGoat, as well as proprietary projects; the results demonstrate a significant reduction in crawler execution time and the achievement of acceptable throughput depending on deployment conditions. The obtained results confirm the effectiveness of combining static structuring of the search space with targeted dynamic checks to improve the scalability and reproducibility of web security analysis.

Problems in programming 2025; 4: 41-52

Guo, Z., Tan, T., Liu, S., Liu, X., Lai, W., Yang, Y., Li, Y., Chen, L., Dong, W., & Zhou, Y. (2023). Mitigating false positive static analysis warnings: Progress, challenges, and opportunities. IEEE Transactions on Software Engineering, 49(12), pp. 5154–5188.

Althunayyan, M., Saxena, N., Li, S., & Gope, P. (2022). Evaluation of black-box Web application security scanners in detecting injection vulnerabilities. Electronics, 11(13), 2049 P.

Nunes, P. J. C. (2022). Blended security analysis for web Applications: Techniques and tools (Doctoral dissertation, Universidade de Coimbra). Retrieved from https://estudogeral.uc.pt/handle/10316/10034

Kree, L., Helmke, R., & Winter, E. (2024). Using Semgrep OSS to find OWASP Top 10 weaknesses in PHP applications: A case study. In Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2024. Lecture Notes in Computer Science, Vol. 14828, pp. 64–83.

Shahid, J., Hameed, M. K., Javed, I. T., Qureshi, K. N., Ali, M., & Crespi, N. (2022). A comparative study of Web application security parameters: Current trends and future directions. Applied Sciences, 12(8), 4077.

Popereshnyak, S., Chornobryvets, D., Bakaiev, O. (2025). AI-driven intelligent platform for freelance services management and monitoring. In Proceedings of the 1st Workshop on Software Engineering and Semantic Technologies. SEST 2025. pp. 206–217. CEUR Workshop Proceedings. Retrieved from https://ceur-ws.org/Vol4053/paper12.pdf

Popereshnyak, S., Vecherkovskaya, A., & Zhebka, V. (2024). Intrusion detection based on an intelligent security system using machine learning methods. CEUR Workshop Proceedings, 3654, pp. 163–178. Retrieved from https://ceur-ws.org/Vol-3654/paper14.pdf

Sonmez, F. O., & Kilic, B. G. (2021). Holistic Web Application Security Visualization for Multi-Project and Multi-Phase Dynamic Application Security Test Results. IEEE Access, 9, pp. 25858–25884.

Sharma, S., Zavarsky, P., & Butakov, S. (2020). Machine learning based intrusion detection system for web-based attacks. In roceedings of the IEEE 6th International Conference on Big Data Security on cloud, High Performance and Smart Computing, and Intelligent Data and Security pp. 227–230.