Extracting an identification (ID) of a thread calling an application programming interface (API) according to a user's request, executing a method of the thread including a tracking code according to a user's request, And extracting API call information from an HTTP request object, which is the first argument of the method according to the trace code, in order to provide API call information for dynamic analysis of the web application. According to the present invention, since the request and response information and the API call information are analyzed together in the dynamic analysis of the web application, a vulnerability due to SQL insertion or insertion of an operating system command that has not been detected before can be detected.
展开▼