Security Testing of Web Applications: A Research Plan