EVALUATION OF AUTOMATED PENETRATION TESTING TOOLS FOR DETECTING WEB APP VULNERABILITIES BASED ON OWASP BENCHMARK

Authors
  • Nibras. A. Alkhaykanee

    Open Educational College, Al-Qadisiya Center, Al-Qadisiya, Iraq

    Author

Keywords:
Web-application penetration testing; vulnerability detection scanners; penetration testing tools; web application scanners.
Abstract

Web applications are currently among the most often used methods by businesses to engage with their clientele and offer their services. Those applications ought to be safe and compliant with security standards. It is the responsibility of penetration testers to ensure that there are no vulnerabilities that an attacker may exploit, delete, or expose data on the Internet. Thus, the most effective and straightforward method of web application penetration testing is to use automated vulnerability assessment tools; yet, there are advantages and disadvantages to employing these tools. Thus, using the incorrect tool could result in known, anticipated, or undetected vulnerabilities that could allow intrusions. In this study, we assess automated web penetration testing tools using the OWASP Benchmark for vulnerabilities. As an improvement for web penetration testers and penetration testers in the real world, this research employed comparative analysis of penetration testing tools for discovering web app vulnerabilities to assist the process of choosing the right tools based on penetration tester specifications. we performed two scanners, the results showed that OWASP ZAP scored the higher results than Wapiti3. The total amount of vulnerabilities that ZAP found is (11 high, 7 medium, 5 low level and 10 informational). OWASP ZAP covered the next categories: 54% command injection, 64% insecure cookie,11% path traversal, 52% sql injection, 69% cross-site scripting (XSS) and average score of this tool is 23%. Wapiti3 covered only following categories: 11% path traversal, 56% sql injection, 56% cross-site scripting (XSS) and 11% is average score of this tool.

References

[1] Mburano, Balume, and Weisheng Si. "Evaluation of web vulnerability scanners based on owasp benchmark." 2018 26th International Conference on Systems Engineering (ICSEng). IEEE, 2018. [2] Dalalana Bertoglio, Daniel, and Avelino Francisco Zorzo. "Overview and open issues on penetration test." Journal of the Brazilian Computer Society 23.1 (2017): 1-16. [3] Im, J.; Yoon, J.; Jin, M. Interaction Platform for Improving Detection Capability of Dynamic Application Security Testing. In Proceedings of the 14th International Joint Conference on e-Business and Telecommunications, Madrid, Spain, 26–28 July 2017;

pp. 474–479.

[4] Li, J. Vulnerabilities mapping based on OWASP-SANS: A survey for static application security testing (SAST). Ann. Emerg. Technol. Comput. (AETiC) 2020, 4, 1–8.

[5] E. T. İslam and B. Urgun, "WIVET—Benchmarking Coverage Qualities of Web Crawlers," The Computer Journal, vol. 60, no. 4, p. 555–572, March 2017.

[6] S. Chen, "WAVSEP – Web Application Vulnerability Scanner Evaluation Project," 10 November 2017. [Online]. Available: http://sectooladdict.blogspot.com/. [Accessed 12 November 2019].

[7] Mamilla, Sushmitha Reddy. "A Study of Penetration Testing Processes and Tools." (2021).

[8] P. Xiong and P. Liam, "A Model-Driven Penetration Test Framework for Web applications," in Eighth Annual International Conference on Privacy, Security and Trust, Ottawa, ON, Canada, 2010.

[9] Matthew Denis, Carlos Zena, and Thaier Hayajneh. Penetration testing: Concepts, attack methods, and defense strategies. In 2016 IEEE Long Island Systems, Applications and Technology Conference (LISAT), pages 1{6. IEEE, 2016.

[10] Morgan, Steve. "Global cybersecurity spending predicted to exceed $1 trillion from 2017-2021." Cybercrime Magazine 10 (2019). [11] Steve Morgan. Cybersecurity talent crunch to create 3.5 million unfilled jobs globally

by 2021. Cybercrime Magazine, 2019. [12] Mohamed C Ghanem and Thomas M Chen. Reinforcement learning for intelligent penetration testing. In 2018 Second World Conference on Smart Trends in Systems, Security and Sustainability (WorldS4), pages 185{192. IEEE, 2018. [[13] K. Shaukat, A. Faisal, R. Masood, A. Usman and U. Shaukat, "Security quality assurance through penetration testing," in 19th International Multi-Topic Conference (INMIC), Islamabad, Pakistan, 2016. [[14] Albahar, Marwan, Dhoha Alansari, and Anca Jurcut. "An empirical comparison of pen-testing tools for detecting web app vulnerabilities." Electronics 11.19 (2022): 2991. [15] Chu, Ge. Automation of Penetration Testing. The University of Liverpool (United Kingdom), 2021. [[16] Amankwah, Richard, et al. "An empirical comparison of commercial and open‐source web vulnerability scanners." Software: Practice and Experience 50.9 (2020): 1842-1857. [[17] Almaarif, Ahmad, and Muharman Lubis. "Vulnerability Assessment and Penetration Testing (VAPT) Framework: Case Study of Government’s Website." International Journal on Advanced Science Engineering and Information Technology 10.5 (2020): 1874-1880. [[18] Shah, Mandar Prashant. Comparative analysis of the automated penetration testing tools. Diss. Dublin, National College of Ireland, 2020. [[19] OWASP. OWASP Zed Attack Proxy Project. Available: https://www.zaproxy.org/getting-started/#security-testing-basics .

Downloads
Published
2026-06-09
Section
Articles
License
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

EVALUATION OF AUTOMATED PENETRATION TESTING TOOLS FOR DETECTING WEB APP VULNERABILITIES BASED ON OWASP BENCHMARK. (2026). Eureka Journal of Computing Science & Digital Innovation, 2(6), 29-55. https://eurekaoa.com/index.php/10/article/view/1310