Is Cymulate Capable of Web Application Vulnerability Assessment?

  • 20 March 2023
  • 2 replies


Hi All, I would like to know if Cymulate has any module which is having the feature of dynamic web application assesment and penetration testing?

2 replies

Userlevel 5
Badge +3

Hello Subhashisb,
We have two core capabilities related to web application assessment and penetration testing.
The first is our WAF module, where we crawl the target website and launch non-detructive attacks relevant to the target URL and whether they accept inputs or not. The objective of which is to validate the level of protection your WAF is providing. The attacks are malicious behaviors that have been used in real attacks or developed in house and map to OWASP.
The second is our ASM module that performs recon. Among other things it discovers and analyzes internet facing digital assets such as web applications. Part of the analysis includes vulnerability detections.
Combined these two modules will find vulnerabilities and assess WAF security control protections.
I hope this helps.


Hello idant,


I appreciate your reply. In order to identify the application-specific vulnerabilities, we need a solution that will actually scan the web application from top to bottom.

I am aware of what your WAF assessment and ASM module offer. But we need a tool that can examine all the parameters, query strings, and headers in every HTTP request to look for weaknesses in a dynamic web application. It needs to be AI-enabled otherwise it won't be able to decide which specific input values should be provided in the request body parameters and search through the entire application to find all the second-order URLs (URLs that require custom input to reach other URLs). Tell me if your Cymulate tool is capable, please.

I want a tool that will allow me to scan dynamic web applications without having to exert any manual tasks. I'll just enter the base URL and authentication in the scanner. Every dynamic page in my application should be thoroughly scanned to find any OWASP Top 10 vulnerabilities by testing every parameters, query strings, URLs etc. and it will browse through the entire web application to identify all the inputs required to obtain the desired results from the server. I'm not keen on assessing my WAF configuration.