International Journal of Open Information Technologies

Web application security is a critical aspect of modern internet services, as vulnerabilities can lead to data breaches, financial loss, and reputational damages. This study evaluates four prominent web application security tools—OWASP ZAP, BurpSuite Pro, Vega, and Wapiti—using the Damn Vulnerable Web Application (DVWA) as a testbed. We introduce a novel metric, the RD-Score, which combines detection accuracy and resource efficiency to provide a comprehensive assessment of each tool's performance. Our evaluation considers the number of HTTP requests sent during the scanning process, a crucial factor impacting scan duration, resource consumption, and network load. By normalizing HTTP requests and integrating them with the F1 Score, the RD-Score offers a balanced measure of algorithmic efficiency and detection capability. The results indicate that BurpSuite Pro achieves the highest average RD-Score, demonstrating superior balance between accuracy and resource usage, followed by Vega, OWASP ZAP, and Wapiti. This study highlights the importance of considering both detection accuracy and resource efficiency in the selection of web application security tools. The proposed RD-Score provides a robust metric for evaluating these tools, offering valuable insights for optimizing web application security. Future work should extend this evaluation to a broader range of tools and vulnerabilities, and explore real-world scenario testing to enhance the applicability of the findings.

R. Y. Ibrahim and M. M. Rosli, "Evaluation of Web Application Vulnerability Scanners using SQL Injection Attacks," 2023 IEEE 8th International Conference on Recent Advances and Innovations in Engineering (ICRAIE), Kuala Lumpur, Malaysia, 2023, pp. 1-6, doi: 10.1109/ICRAIE59459.2023.10468295.

K. Anagandula and P. Zavarsky, "An Analysis of Effectiveness of Black-Box Web Application Scanners in Detection of Stored SQL Injection and Stored XSS Vulnerabilities," 2020 3rd International Conference on Data Intelligence and Security (ICDIS), South Padre Island, TX, USA, 2020, pp. 40-48, doi: 10.1109/ICDIS50059.2020.00012.

Alassmi, S., Zavarsky, P., Lindskog, D., Ruhl, R., Alasiri, A., & Alzaidi, M. (2012). An Analysis of the Effectiveness of Black-Box Web Application Scanners in Detection of Stored XSSI Vulnerabilities.

Yuan-Hsin Tung, Shian-Shyong Tseng, Jen-Feng Shih and Hwai-Ling Shan, "A cost-effective approach to evaluating security vulnerability scanner," 2013 15th Asia-Pacific Network Operations and Management Symposium (APNOMS), Hiroshima, 2013, pp. 1-3

Bairwa, Sheetal & Mewara, Bhawna & Gajrani, Jyoti. (2014). Vulnerability Scanners-A Proactive Approach To Assess Web Application Security. International Journal on Computational Science & Applications. 4. 10.5121/ijcsa.2014.4111.

Qasaimeh, Mo'Nes & Shamlawi, A. & Khairallah, T.. (2018). Black box evaluation of web application scanners: Standards mapping approach. Journal of Theoretical and Applied Information Technology. 96. 4584-4596.

Alsaleh, Mansour, Alomar, Noura, Alshreef, Monirah, Alarifi, Abdulrahman, Al-Salman, AbdulMalik, Performance-Based Comparative Assessment of Open Source Web Vulnerability Scanners, Security and Communication Networks, 2017, 6158107, 14 pages, 2017. https://doi.org/10.1155/2017/6158107

S. Alazmi and D. C. De Leon, "A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability Scanners," in IEEE Access, vol. 10, pp. 33200-33219, 2022, doi: 10.1109/ACCESS.2022.3161522.

Rawaa Mohammed . Assessment of Web Scanner Tools. International Journal of Computer Applications. 133, 5 ( January 2016), 1-4. DOI=10.5120/ijca2016907794

Sridevi, M., & Sunitha, K. (2017). A Study on Different Scanners and Their Limitations for Web Application Vulnerabilities.

Y. -H. Tung, S. -S. Tseng, J. -F. Shih and H. -L. Shan, "W-VST: A Testbed for Evaluating Web Vulnerability Scanner," 2014 14th International Conference on Quality Software, Allen, TX, USA, 2014, pp. 228-233, doi: 10.1109/QSIC.2014.50.