If you are really interested in finding Security Issues with web apps, you shouldn’t be forcing that feature out of a performance product. That is silly.

Detecting the issues discussed here and the dozens that were not mentioned (XSS, SQLi, blind SQLi, remote file include, local file include, CSRF, Response splitting, session hijacking, session fixation, resource eumeration, etc) is not trivial and there exists an entire class of programs which analyze source Code, object code, or executing programs specifically for these programs. Better yet, specialized tools will do a much better job reducing false positives (very common in code analysis tools) and false negatives.

Take a look at tools like Fortify, Veracode, Ounce Labs, or Armorize.

While this article shows you *can* (sort of) find security issues with dynatrace, it would be disingenuous to present this as a realistic practice that QA should spend it time using.