SYSTEMATISATION AND COMPARATIVE ANALYSIS OF AUTOMATED PENETRATION TESTING TOOLS FOR WEB APPLICATIONS
DOI:
https://doi.org/10.28925/2663-4023.2025.31.1068Keywords:
penetration testing; vulnerability; automated security scanning; OWASP ZAP; Nuclei; sqlmap; systematisation; comparative analysis; information security.Abstract
The article examines modern approaches to automating the process of testing web applications for penetration. The growing number and complexity of web threats, as well as limited resources for manual testing, create a critical need for the effective use of automated testing tools. However, the diversity of architectures, operating principles, and functional capabilities of existing pentesting tools creates a problem of informed choice and effective combination. The purpose of the article is to systematise the main open source tools and conduct a comparative analysis based on a set of developed criteria. The paper proposes classifying tools into four categories: proxy-based active scanners (e.g., OWASP ZAP), template-based scanners (Nuclei), specialised exploitation tools (sqlmap), and fuzzers/parameter scanners (ffuf). For comparative analysis, a system of criteria was defined, including functional (OWASP Top-10 coverage, support for modern technologies), operational (integration into CI/CD, usability) and technical (licence, development activity) aspects. Based on these criteria, the tools representing each category were analysed. The results of the study showed that no tool is universal, and effectiveness depends on the specifics of the task. It was found that OWASP ZAP is the most universal for in-depth analysis, Nuclei is the fastest for scalable scanning, and ffuf is the most effective for reconnaissance. The key conclusion is a recommendation for the synergistic combination of tools in a single workflow for maximum coverage of the testing phases: from reconnaissance to deep exploitation. The results obtained form the theoretical basis for the informed selection of tools and the construction of effective automated security testing processes within the DevSecOps approaches.
Downloads
References
OWASP Foundation. (2021). OWASP Top Ten Web Application Security Risks. OWASP. https://owasp.org/Top10/
OWASP Foundation. (2021). OWASP Web Security Testing Guide (WSTG) Version 4.2. OWASP. https://owasp.org/www-project-web-security-testing-guide/
OWASP Foundation. (2023). OWASP Zed Attack Proxy (ZAP) – User Guide. OWASP. https://www.zaproxy.org/docs/
ProjectDiscovery. (2024). Nuclei Documentation. ProjectDiscovery.io. https://docs.nuclei.sh/
sqlmap developers. (2024). sqlmap: Automatic SQL injection and database takeover tool – User Manual. sqlmap.org. http://sqlmap.org/
ffuf project. (2024). ffuf – Fast web fuzzer written in Go – Documentation. GitHub. https://github.com/ffuf/ffuf
Duchene, F., Rawat, S., Gupta, V., & Balzarotti, D. (2018). A Case Study of Automated Penetration Testing: The Status Quo and Future Challenges. In Proceedings of the 13th International Conference on Availability, Reliability and Security (ARES '18). ACM. https://doi.org/10.1145/3230833.3233284
Al-Saleh, M. I., & Espinoza, A. M. (2019). A Survey on Web Application Vulnerability Scanning Tools. International Journal of Advanced Computer Science and Applications (IJACSA), 10(5), 384-390. https://doi.org/10.14569/IJACSA.2019.0100549
Antunes, N., & Vieira, M. (2015). Assessing and comparing vulnerability detection tools for web services: Benchmarking approach and examples. IEEE Transactions on Services Computing, 8(2), 269-283. https://doi.org/10.1109/TSC.2013.2295792
Doupé, A., Cova, M., & Vigna, G. (2010). Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners. In Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA '10). Springer. https://doi.org/10.1007/978-3-642-14215-4_11
Bau, J., Bursztein, E., Gupta, D., & Mitchell, J. (2010). State of the Art: Automated Black-Box Web Application Vulnerability Testing. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP '10). IEEE. https://doi.org/10.1109/SP.2010.27
Garside, J. (2022). Integrating Security into DevOps: A Survey of Open-Source Tools for Automated Penetration Testing. Journal of Cybersecurity and Privacy, 2(3), 512-527. https://doi.org/10.3390/jcp2030026
Sokolov, V., Skladannyi, P., & Platonenko, A. (2023). Jump-stay jamming attack on Wi-Fi systems. In 2023 IEEE 18th International Conference on Computer Science and Information Technologies (CSIT) (pp. 1–5). IEEE. https://doi.org/10.1109/CSIT61576.2023.10324031
Vorontsov, A. M., & Ivanchenko, I. V. (2021). Suchasni metody ta zasoby testuvannia bezpeky veb-zastosunkiv [Modern methods and tools for web application security testing]. Cybersecurity: Education, Science, Technique, 2(14), 87–101. https://doi.org/10.28925/2663-4023.2021.14.87101
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Анастасія Толкачова
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
