Evaluation of Open Source Web Application Vulnerability Scanners


  • Himli S. Abdullah IT Department, Amedi Technical Institute, Duhok Polytechnic University, Kurdistan Region - Iraq




Web Application Security, Open Web Application Security Project (OWASP), Vulnerability Scanner, Penetration Testing.


Nowadays, web applications are essential part of our lives. Web applications are used by people for information gathering, communication, e-commerce and variety of other activities. Since they contain valuable and sensitive information, the attacks against them have increased in order to find vulnerabilities and steal information. For this reason, it is essential to check web application vulnerabilities to ensure that it is secure. However, checking the vulnerabilities manually is a tedious and time-consuming job. Therefore, there is an exigent need for web application vulnerability scanners. In this study, we evaluate two open source web application vulnerability scanners Paros and OWASP Zed Attack Proxy (OWASP ZAP) by testing them against two vulnerable web applications buggy web application (bWAPP) and Damn Vulnerable Web Application (DVWA).


Download data is not yet available.


1. Al-Khurafi, O. & Al-Ahmad. M. (2015). Survey of Web Application Vulnerability Attacks. 4th International Conference on Advanced Computer Science Applications and Technologies (ACSAT), Kuala Lumpur, 2015 (pp. 154-158).
2. Farah T., Shojol M., Hassan M. & Alam D. (2016). Assessment of vulnerabilities of web applications of Bangladesh: A case study of XSS & CSRF. Sixth International Conference on Digital Information and Communication Technology and its Applications (DICTAP), Konya, 2016, (pp. 74-78).
3. OWASP. (2018).The Open Web Application Security Project. Retrieved from https://www.owasp.org/
4. Makino Y. & Klyuev V. (2015). Evaluation of web vulnerability scanners. Intelligent Data Acquisition and Advanced Computing Systems:Technology and Applications (IDAACS), IEEE 8th InternationalConference vol. 1. IEEE, 2015, (pp. 399–402).
5. Nagpure S. & Kurkure S. (2017). Vulnerability Assessment and Penetration Testing of Web Application. International Conference on Computing, Communication, Control and Automation (ICCUBEA), Pune, 2017, (pp. 1-6).
6. Srinivasan S. & Sangwan R. (2017). Web App Security: A Comparison and Categorization of Testing Frameworks. IEEE Software, vol. 34, no. 1, IEEE, 2017, (pp. 99-102).
7. Suteva N., Zlatkovski D. & Mileva A. (2013). Evaluation and testing of several free/open source web vulnerability scanners, 10th Conference for Informatics and Information Technology, Bitola, Macedonia, 2013.
8. Jiménez R. (2016). Pentesting on web applications using ethical - hacking. IEEE 36th Central American and Panama Convention (CONCAPAN XXXVI), San Jose, 2016, (pp. 1-6).
9. BWAPP. (2018). A buggy Web Application. Retrieved from http://itsecgames.com/
10. Gaddam R. & Nandhini M. (2017). An analysis of various snort based techniques to detect and prevent intrusions in networks proposal with code refactoring snort tool in Kali Linux environment. International Conference on Inventive Communication and Computational Technologies (ICICCT), Coimbatore, 2017 (pp. 10-15).
11. Denis M., Zena C. & Hayajneh T. (2016). Penetration testing: Concepts, attack methods, and defense strategies. IEEE Long Island Systems, Applications and Technology Conference (LISAT), Farmingdale, NY, 2016 (pp. 1-6).
12. Daud N.,Bakar K. & Hasan M. (2014) .A case study on web application vulnerability scanning tools. Science and Information Conference, London, 2014 (pp. 595-600).
13. OWASP ZAP. (2018). Zed Attack Proxy Project - OWASP. Retrieved from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
14. Engebretson P. (2013). The Basics of Hacking and Penetration Testing. Waltham, MA: Syngress.
15. Goel J., Asghar M., Kumar V. & Pandey S. (2016). Ensemble based approach to increase vulnerability assessment and penetration testing accuracy. International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH), Noida, 2016 (pp. 330-335).



How to Cite

Abdullah, H. S. (2020). Evaluation of Open Source Web Application Vulnerability Scanners. Academic Journal of Nawroz University, 9(1), 47–52. https://doi.org/10.25007/ajnu.v9n1a532