Web applications are becoming widespread in many corporations, replacing almost all classical applications. These applications may contain vulnerabilities at different levels, depending on the maturity of the application development lifecycle. Especially in applications that are open to the internet, the risk reaches serious levels. The attack area is very wide due to the threats against both the application users and the application itself. There are many automated tools that test web applications. These tools are successful in detecting some general vulnerabilities, but they are not successful enough in terms of evaluating the findings correctly, detecting business logic errors, and detecting complex vulnerabilities. Security tests are carried out through certain methodologies with the methods used by attackers to exploit web applications vulnerabilities.