In order to realize that, we used the framework WebScarab2 for the interpretation of the communication between the client and a web application but we have also submitted attacks manually, so according the observed rules we specified state machine in the first place.