Survey on Web Application Security Testing Methods

Authors

  • Amman Alamri 1Department of Information Systems, College of Economics, Management, and Information Systems, University of Nizwa, Nizwa, Sultanate of Oman
  • Hamad Albahri 1Department of Information Systems, College of Economics, Management, and Information Systems, University of Nizwa, Nizwa, Sultanate of Oman
  • Prof. Rabie A. Ramadan Department of Information Systems, College of Economics, Management, and Information Systems, University of Nizwa, Nizwa, Sultanate of Oman

Keywords:

Web Application Security, Penetration Testing, OWASP Top 10, Code Review, Security Testing Tools, Burp Suite, OWASP ZAP

Abstract

This research study delivers comprehensive coverage of tools, techniques,
and processes for ensuring security within web applications. The analysis encompasses
both automated and manual approaches, including code reviews, penetration testing, and tools addressing common vulnerabilities listed in the OWASP Top 10. As web applications have become critical infrastructure for modern organizations managing sensitive data and performing significant transactions, the need for robust security testing has grown exponentially. The research presents case studies and results of testing performed in real environments to illustrate the strengths and weaknesses of various security testing methodologies. The findings demonstrate that while automated tools provide efficiency and scalability, manual testing remains essential for detecting complex logical vulnerabilities and context-sensitive security issues. Additionally, the paper emphasizes the importance of integrating multiple testing approaches into a unified web application security strategy to address the evolving threat landscape effectively.

References

Akrout, R., Alata, E., Kaaniche, M., Nicomette, V. (2014). An automated black box

approach for web vulnerability identification and attack scenario generation. Journal

of the Brazilian Computer Society, 20(1), 1-16.

Alden, J. (2020). A Survey on Web Application Security. IEEE Security & Privacy,

(1), 78-82.

Alonso, J. M., Guzman, A., Beltrán, M. (2018). A practical approach for web security

testing. International Journal of Computer Network and Information Security, 10(2),

-10.

Antunes, N., Vieira, M. (2009). Comparing the effectiveness of penetration testing

and static code analysis on the detection of SQL injection vulnerabilities in web

services. In 2009 15th IEEE Pacific Rim International Symposium on Dependable

Computing (pp. 301-306).

Bau, J., Bursztein, E., Gupta, D., Mitchell, J. (2010). State of the art: Automated

black-box web application vulnerability testing. In 2010 IEEE Symposium on Security

and Privacy (pp. 332-345).

Bertoglio, D. D., Zorzo, A. F. (2017). Overview and open issues on penetration test.

Journal of the Brazilian Computer Society, 23(1), 1-16.

Chen, J., Kudjo, P. K., Mensah, S., Amankwah, R., Towey, D. (2018). An empirical

comparison of commercial and open-source web vulnerability scanners. In 2018 IEEE

nd Annual Computer Software and Applications Conference (pp. 192-201).

Chess, B., McGraw, G. (2007). Secure programming with static analysis. Pearson

Education.

Deepa, G., Thilagam, P. S. (2014). A research study on web application security.

In 2014 International Conference on Advances in Computing, Communications and

Informatics (pp. 1016-1022).

Doupé, A., Cova, M., Vigna, G. (2010). Why Johnny can’t pentest: An analysis

of black-box web vulnerability scanners. In International Conference on Detection of

Intrusions and Malware, and Vulnerability Assessment (pp. 111-131). Springer.

Engebretson, P. (2013). The basics of hacking and penetration testing: ethical hacking

and penetration testing made easy. Elsevier.

Felderer, M., Büchler, M., Johns, M., Brucker, A. D., Breu, R., Pretschner, A.

(2016). Security testing: A survey. Advances in Computers, 101, 1-51.

Halfond, W. G., Viegas, J., Orso, A. (2006). A classification of SQL-injection attacks

and countermeasures. In Proceedings of the IEEE International Symposium on Secure

Software Engineering (Vol. 1, pp. 13-15).

McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., Pattinson, M.

(2016). Security awareness and training programs in organizations: A review of their

effectiveness. In International Conference on Human Aspects of Information Security,

Privacy, and Trust (pp. 71-82). Springer.

OWASP. (2021). OWASP Top Ten Web Application Security Risks. Retrieved from

https://owasp.org/www-project-top-ten/

Sagar, R., Singh, D., Kumar, V. (2017). A survey on web application security:

Attacks and prevention. In 2017 International Conference on Innovations in Information,

Embedded and Communication Systems (ICIIECS) (pp. 1-7).

Sampaio, L. M., Silva, J. C. M. (2008). A survey of web application security testing

tools. In Brazilian Symposium on Computer Networks (SBRC) (pp. 217-230).

Shinde, P., Ardhapurkar, S. (2018). Application of security scanners for web vulnerabilities

identification. In 2018 International Conference on Current Trends towards

Converging Technologies (ICCTCT) (pp. 1-6).

Stuttard, D., Pinto, M. (2011). The Web Application Hacker’s Handbook: Finding

and Exploiting Security Flaws. John Wiley Sons.

Stuttard, D., Pinto, M. (2017). The Web Application Hacker’s Handbook: Finding

and Exploiting Security Flaws (2nd Edition). John Wiley Sons.

Wassermann, G., Su, Z. (2008). Static detection of cross-site scripting vulnerabilities.

In Proceedings of the 30th international conference on Software engineering (pp. 171-

.

Howard, M., Lipner, S. (2001). The Security Development Lifecycle. IEEE Software,

(4), 13-17.

Muzaki, F., Fauzan, A., Hariyono, B. (2018). Web application firewall using mod

security and Reverse proxy. In 2018 International Conference on Applied Information

Technology and Innovation (pp. 105-109). IEEE.

https://

Downloads

Published

2025-05-01

How to Cite

Alamri, A. ., Albahri, H. ., & Ramadan, R. (2025). Survey on Web Application Security Testing Methods. PLOMS AI, 5(1). Retrieved from https://plomscience.com/journals/index.php/PLOMSAI/article/view/25

Issue

Vol. 5 No. 1 (2025): Vol 5 No. 1 2025

Section

Computer

License

Copyright (c) 2025 PLOMS AI

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

PLOMS  Journals Copyright Statement

PLOMS LLC. grants you a non-exclusive, royalty-free, revocable license to: 

  • Academic Journals licenses all works published under the Creative Commons Attribution 4.0 International License. This license grants anybody the right to reproduce, redistribute, remix, transmit, and modify the work, as long as the original work and source are properly cited.
  • PLOMS LLC. grants you no further rights in respect to this website or its content. 

Without the prior consent of PLOMS LLC, this website and its content (in any form or medium) may not be changed or converted in any manner. To avoid doubt, you must not modify, edit, alter, convert, publish, republish, distribute, redistribute, broadcast, rebroadcast, display, or play in public any of the content on this website (in any form or medium) without PLOMS LLC's prior written approval.

Permissions

Permission to use the copyright content on this website may be obtained by emailing to: 

 [email protected].

PLOMS LLC. takes copyright protection very seriously.  If PLOMS LLC. discovers that you have violated the license above by using its copyright materials, PLOMS LLC. may pursue legal action against you, demanding monetary penalties and an injunction to prevent you from using such materials. Additionally, you may be required to pay legal fees.

If you become aware of any unauthorized use of PLOMS LLC. copyright content that violates or may violate the license above, please contact :

[email protected].

Infringing content

If you become aware of any content on the website that you feel violates your or another person's copyright, please notify [email protected].