{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,30]],"date-time":"2026-04-30T17:28:53Z","timestamp":1777570133487,"version":"3.51.4"},"reference-count":43,"publisher":"MDPI AG","issue":"11","license":[{"start":{"date-parts":[[2023,11,15]],"date-time":"2023-11-15T00:00:00Z","timestamp":1700006400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Glasgow Caledonian University"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computers"],"abstract":"<jats:p>Penetration testers have increasingly adopted multiple penetration testing scanners to ensure the robustness of web applications. However, a notable limitation of many scanning techniques is their susceptibility to producing false positives. This paper presents a novel framework designed to automate the operation of multiple Web Application Vulnerability Scanners (WAVS) within a single platform. The framework generates a combined vulnerabilities report using two algorithms: an automation algorithm and a novel combination algorithm that produces comprehensive lists of detected vulnerabilities. The framework leverages the capabilities of two web vulnerability scanners, Arachni and OWASP ZAP. The study begins with an extensive review of the existing scientific literature, focusing on open-source WAVS and exploring the OWASP 2021 guidelines. Following this, the framework development phase addresses the challenge of varying results obtained from different WAVS. This framework\u2019s core objective is to combine the results of multiple WAVS into a consolidated vulnerability report, ultimately improving detection rates and overall security. The study demonstrates that the combined outcomes produced by the proposed framework exhibit greater accuracy compared to individual scanning results obtained from Arachni and OWASP ZAP. In summary, the study reveals that the Union List outperforms individual scanners, particularly regarding recall and F-measure. Consequently, adopting multiple vulnerability scanners is recommended as an effective strategy to bolster vulnerability detection in web applications.<\/jats:p>","DOI":"10.3390\/computers12110235","type":"journal-article","created":{"date-parts":[[2023,11,15]],"date-time":"2023-11-15T10:57:46Z","timestamp":1700045866000},"page":"235","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":28,"title":["Enhancing Web Application Security through Automated Penetration Testing with Multiple Vulnerability Scanners"],"prefix":"10.3390","volume":"12","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-1220-2021","authenticated-orcid":false,"given":"Khaled","family":"Abdulghaffar","sequence":"first","affiliation":[{"name":"Department of Cyber Security and Networks, Glasgow Caledonian University, Glasgow G4 0BA, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4267-8798","authenticated-orcid":false,"given":"Nebrase","family":"Elmrabit","sequence":"additional","affiliation":[{"name":"Department of Cyber Security and Networks, Glasgow Caledonian University, Glasgow G4 0BA, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0832-650X","authenticated-orcid":false,"given":"Mehdi","family":"Yousefi","sequence":"additional","affiliation":[{"name":"School of Computing and Digital Technology, Birmingham City University, Birmingham B4 7XG, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2023,11,15]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Altulaihan, E.A., Alismail, A., and Frikha, M. (2023). A Survey on Web Application Penetration Testing. Electronics, 12.","DOI":"10.3390\/electronics12051229"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1080\/19393555.2020.1853855","article-title":"A systematic review and taxonomy of web applications threats","volume":"31","author":"Sadqi","year":"2022","journal-title":"Inf. Secur. J. Glob. Perspect."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Trickel, E., Pagani, F., Zhu, C., Dresel, L., Vigna, G., Kruegel, C., Wang, R., Bao, T., Shoshitaishvili, Y., and Doup\u00e9, A. (2023, January 21\u201325). Toss a Fault to Your Witcher: Applying Grey-box Coverage-Guided Mutational Fuzzing to Detect SQL and Command Injection Vulnerabilities. Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.","DOI":"10.1109\/SP46215.2023.10179317"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"160","DOI":"10.1016\/j.infsof.2016.02.005","article-title":"Securing web applications from injection and logic vulnerabilities: Approaches and challenges","volume":"74","author":"Deepa","year":"2016","journal-title":"Inf. Softw. Technol."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Alhamed, M., and Rahman, M.M.H. (2023). A Systematic Literature Review on Penetration Testing in Networks: Future Research Directions. Appl. Sci., 13.","DOI":"10.3390\/app13126986"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Mburano, B., and Si, W. (2018, January 18\u201320). Evaluation of Web Vulnerability Scanners Based on OWASP Benchmark. Proceedings of the 2018 26th International Conference on Systems Engineering (ICSEng), Sydney, Australia.","DOI":"10.1109\/ICSENG.2018.8638176"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Makino, Y., and Klyuev, V. (2015, January 24\u201326). Evaluation of web vulnerability scanners. Proceedings of the 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), Warsaw, Poland.","DOI":"10.1109\/IDAACS.2015.7340766"},{"key":"ref_8","first-page":"11068","article-title":"Performance evaluation of web application security scanners for prevention and protection against vulnerabilities","volume":"12","author":"Idrissi","year":"2017","journal-title":"Int. J. Appl. Eng. Res."},{"key":"ref_9","first-page":"4179","article-title":"Effectiveness of Web Application Security Scanners at Detecting Vulnerabilities behind AJAX\/JSON","volume":"4","author":"Kagorora","year":"2015","journal-title":"Int. J. Innov. Res. Sci. Eng. Technol."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Singh, N., Meherhomji, V., and Chandavarkar, B.R. (2020, January 1\u20133). Automated versus Manual Approach of Web Application Penetration Testing. Proceedings of the 2020 11th International Conference on Computing, Communication and Networking Technologies (ICCCNT), Kharagpur, India.","DOI":"10.1109\/ICCCNT49239.2020.9225385"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Hu, Z., Beuran, R., and Tan, Y. (2020, January 7\u201311). Automated Penetration Testing Using Deep Reinforcement Learning. Proceedings of the 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Genoa, Italy.","DOI":"10.1109\/EuroSPW51379.2020.00010"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Hance, J., Milbrath, J., Ross, N., and Straub, J. (2022). Distributed Attack Deployment Capability for Modern Automated Penetration Testing. Computers, 11.","DOI":"10.3390\/computers11030033"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Elmrabit, N., Zhou, F., Li, F., and Zhou, H. (2020, January 15\u201319). Evaluation of Machine Learning Algorithms for Anomaly Detection. Proceedings of the 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), Dublin, Ireland.","DOI":"10.1109\/CyberSecurity49315.2020.9138871"},{"key":"ref_14","unstructured":"Qiu, X., Wang, S., Jia, Q., Xia, C., and Xia, Q. (2014, January 20\u201322). An automated method of penetration testing. Proceedings of the 2014 IEEE Computers, Communications and IT Applications Conference, Beijing, China."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"103270","DOI":"10.1016\/j.jnca.2021.103270","article-title":"An enhanced deep learning based framework for web attacks detection, mitigation and attacker profiling","volume":"198","author":"Shahid","year":"2022","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Lala, S.K., Kumar, A., and Subbulakshmi, T. (2021, January 6\u20138). Secure Web development using OWASP Guidelines. Proceedings of the 2021 5th International Conference on Intelligent Computing and Control Systems (ICICCS), Madurai, India.","DOI":"10.1109\/ICICCS51141.2021.9432179"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Schutt, K., and Balci, O. (2016, January 8\u201310). Cloud software development platforms: A comparative overview. Proceedings of the 2016 IEEE 14th International Conference on Software Engineering Research, Management and Applications (SERA), Towson, MD, USA.","DOI":"10.1109\/SERA.2016.7516122"},{"key":"ref_18","unstructured":"(2023, August 31). Stack Overflow Developer Survey. Available online: https:\/\/insights.stackoverflow.com\/survey\/2021#most-popular-technologies-language."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Shahid, J., Hameed, M.K., Javed, I.T., Qureshi, K.N., Ali, M., and Crespi, N. (2022). A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions. Appl. Sci., 12.","DOI":"10.3390\/app12084077"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Mateo Tudela, F., Bermejo Higuera, J.R., Bermejo Higuera, J., Sicilia Montalvo, J.A., and Argyros, M.I. (2020). On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications. Appl. Sci., 10.","DOI":"10.3390\/app10249119"},{"key":"ref_21","unstructured":"Antonelli, D., Cascella, R., Perrone, G., Romano, S.P., and Schiano, A. (2021). Leveraging AI to optimize website structure discovery during Penetration Testing. arXiv."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Kiruba, B., Saravanan, V., Vasanth, T., and Yogeshwar, B.K. (2022, January 17\u201319). OWASP Attack Prevention. Proceedings of the 2022 3rd International Conference on Electronics and Sustainable Communication Systems (ICESC), Coimbatore, India.","DOI":"10.1109\/ICESC54411.2022.9885691"},{"key":"ref_23","unstructured":"(2023, August 31). OWASP Foundation Top Ten Project. Available online: https:\/\/owasp.org\/www-project-top-ten\/."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Zaitseva, E., Hovorushchenko, T., Pavlova, O., and Voichur, Y. (2023). Identifying the Mutual Correlations and Evaluating the Weights of Factors and Consequences of Mobile Application Insecurity. Systems, 11.","DOI":"10.3390\/systems11050242"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Alsaffar, M., Aljaloud, S., Mohammed, B.A., Al-Mekhlafi, Z.G., Almurayziq, T.S., Alshammari, G., and Alshammari, A. (2022). Detection of Web Cross-Site Scripting (XSS) Attacks. Electronics, 11.","DOI":"10.3390\/electronics11142212"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Al Anhar, A., and Suryanto, Y. (2021, January 29\u201330). Evaluation of Web Application Vulnerability Scanner for Modern Web Application. Proceedings of the 2021 International Conference on Artificial Intelligence and Computer Science Technology (ICAICST), Yogyakarta, Indonesia.","DOI":"10.1109\/ICAICST53116.2021.9497831"},{"key":"ref_27","unstructured":"Kimminich, B. (2023, August 31). The OWASP Juice Shop Project. Available online: https:\/\/owasp.org\/www-project-juice-shop\/."},{"key":"ref_28","unstructured":"Karande, C. (2023, August 31). OWASP NodeGoat project. Available online: https:\/\/github.com\/OWASP\/NodeGoat."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"30","DOI":"10.1109\/MC.2013.409","article-title":"Penetration testing for web services","volume":"47","author":"Antunes","year":"2013","journal-title":"Computer"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Albahar, M., Alansari, D., and Jurcut, A. (2022). An Empirical Comparison of Pen-Testing Tools for Detecting Web App Vulnerabilities. Electronics, 11.","DOI":"10.3390\/electronics11192991"},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"6158107","DOI":"10.1155\/2017\/6158107","article-title":"Performance-Based Comparative Assessment of Open Source Web Vulnerability Scanners","volume":"2017","author":"Alsaleh","year":"2017","journal-title":"Secur. Commun. Netw."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"33200","DOI":"10.1109\/ACCESS.2022.3161522","article-title":"A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability Scanners","volume":"10","author":"Alazmi","year":"2022","journal-title":"IEEE Access"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Albalawi, N., Alamrani, N., Aloufi, R., Albalawi, M., Aljaedi, A., and Alharbi, A.R. (2023). The Reality of Internet Infrastructure and Services Defacement: A Second Look at Characterizing Web-Based Vulnerabilities. Electronics, 12.","DOI":"10.3390\/electronics12122664"},{"key":"ref_34","unstructured":"Laskos, T. (2023, August 31). Arachni\u2014Web Application Security Scanner Framework. Available online: https:\/\/github.com\/Arachni."},{"key":"ref_35","unstructured":"(2023, August 31). ZAPping the OWASP Top 10. Available online: https:\/\/www.zaproxy.org\/docs\/guides\/zapping-the-top-10-2021\/."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"1277","DOI":"10.1631\/FITEE.1800532","article-title":"NIG-AP: A new method for automated penetration testing","volume":"20","author":"Zhou","year":"2019","journal-title":"Front. Inf. Technol. Electron. Eng."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Minh Le, T.H., Hin, D., Croft, R., and Ali Babar, M. (2021, January 15\u201319). DeepCVA: Automated Commit-level Vulnerability Assessment with Deep Multi-task Learning. Proceedings of the 2021 36th IEEE\/ACM International Conference on Automated Software Engineering (ASE), Melbourne, Australia.","DOI":"10.1109\/ASE51524.2021.9678622"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Urbano, L., Perrone, G., and Romano, S.P. (2022, January 20\u201322). Reinforced WAVSEP: A Benchmarking Platform for Web Application Vulnerability Scanners. Proceedings of the 2022 International Conference on Electrical, Computer and Energy Technologies (ICECET), Prague, Czech Republic.","DOI":"10.1109\/ICECET55527.2022.9872956"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Antunes, N., and Vieira, M. (2010, January 5\u201310). Benchmarking Vulnerability Detection Tools for Web Services. Proceedings of the 2010 IEEE International Conference on Web Services, Miami, FL, USA.","DOI":"10.1109\/ICWS.2010.76"},{"key":"ref_40","unstructured":"Huo, M., Verner, J., Zhu, L., and Babar, M.A. (2004, January 28\u201330). Software quality and agile methods. Proceedings of the 28th Annual International Computer Software and Applications Conference, Hong Kong, China."},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Mitchell, S.M., and Seaman, C.B. (2009, January 15\u201316). A comparison of software cost, duration, and quality for waterfall vs. iterative and incremental development: A systematic review. Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement, Lake Buena Vista, FL, USA.","DOI":"10.1109\/ESEM.2009.5314228"},{"key":"ref_42","unstructured":"Trivedi, P., and Sharma, A. (2013, January 19\u201320). A comparative study between iterative waterfall and incremental software development life cycle model for optimizing the resources using computer simulation. Proceedings of the 2013 2nd International Conference on Information Management in the Knowledge Economy, Chandigarh, India."},{"key":"ref_43","first-page":"7","article-title":"Comparison between various software development methodologies","volume":"131","author":"Chandra","year":"2015","journal-title":"Int. J. Comput. Appl."}],"container-title":["Computers"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-431X\/12\/11\/235\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T21:23:17Z","timestamp":1760131397000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-431X\/12\/11\/235"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,15]]},"references-count":43,"journal-issue":{"issue":"11","published-online":{"date-parts":[[2023,11]]}},"alternative-id":["computers12110235"],"URL":"https:\/\/doi.org\/10.3390\/computers12110235","relation":{},"ISSN":["2073-431X"],"issn-type":[{"value":"2073-431X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,11,15]]}}}