Testing of web applications for common vulnerabilities still represents a major challenge in the area of security testing. The objective here is not necessarily to find new vulnerabilities but to ensure that the web application handles well-known attack patterns in a reliable way. Previously developed methods based on model-based testing contribute to the underlying challenge. The author introduces two approaches that rely on different methods, namely model-based security testing, combinatorial testing and planning. The corresponding implementations combine these elements into testing frameworks for testing of web applications for vulnerabilities.