PERFORMANCE EVALUATION OF OPEN-SOURCE WEB VULNERABILITY SCANNERS FOR SQL INJECTION DETECTION IN WEB APPLICATIONS
DOI:
https://doi.org/10.35631/JISTM.1142027Keywords:
Black Box Testing, Penetration Testing, SQL Injection, Web Application Security, Web Vulnerability ScannerAbstract
Small and Medium Enterprises (SMEs) are embracing online platforms which results in becoming more exposed to cybersecurity threats, especially SQL Injection (SQLi) attacks. SQLi attack is among the most common web application vulnerabilities listed by OWASP. To address these risks, this research examines the performance of several open-source Web Vulnerability Scanners (WVS) in detecting SQLi threats. Four popular open-source scanners: OWASP ZAP, SQLmap, Skipfish and Wapiti have been tested across five types of web applications. Vulnerable testbeds such as DVWA and OWASP Mutillidae II and the real e-commerce sites have been tested to see how the tools perform in practical situations. All the scanners have been evaluated based on few parameters: detection rate, response time, resource usage on CPU and memory and ease of use. The scanners show variations of results during the experiment. These findings offer useful guidance for SMEs in choosing cost-effective and efficient scanning tools that match their cybersecurity needs.
Downloads
References
Abdulghaffar, K., Elmrabit, N., & Yousefi, M. (2023). Enhancing Web Application Security through Automated Penetration Testing with Multiple Vulnerability Scanners. Computers, 12(11), 235. https://doi.org/10.3390/computers12110235.
Alazmi, S., & De Leon, D. C. (2022). A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability Scanners. IEEE Access, 10, 33200–33219. https://doi.org/10.1109/access.2022.3161522.
Ammagunta, S., Akula, A., Pottipati, C. S., Avula, L. M., & Reddy, Y. (2025). Defending against SQL injection: Practical application with open-source tools for improved cyber security. AIP Conference Proceedings, 3281, Article 020036. https://doi.org/10.1063/5.0260769.
Bhawsar, P., & Singh, S. (2025). A Comprehensive Framework for Web Application Penetration Testing: Leveraging Automated and Manual Methods for Enhanced Security. 2025 13th International Conference on Intelligent Systems and Embedded Design (ISED), 125–130. https://doi.org/10.1109/ised67359.2025.11405427.
Christos Tselios, Politis, I., & Xenakis, C. (2022). Improving Network, Data and Application Security for SMEs. Proceedings of the 17th International Conference on Availability, Reliability and Security. https://doi.org/10.1145/3538969.3544426.
Curtin, M., Sheehan, B., Gruben, M., O’Carroll, G., & Murray, H. (2025). Enhancing Cybersecurity Awareness in Small and Medium Enterprises Through a User-Friendly Risk Assessment Tool. 209–226. https://doi.org/10.1109/eurosp63326.2025.00021.
Duarte Felício, José Simão, & Nuno Datia. (2023). RapiTest: Continuous Black-Box Testing of RESTful Web APIs. Procedia Computer Science, 219, 537–545. https://doi.org/10.1016/j.procs.2023.01.322.
Faiz, A., Muhammad, Faiz, B., Hassan, Hassan, & Fatima, A. (2025). Assessment of SQL Injection Attacks and Defense Mechanisms in Stored Procedures. Journal for Current Sign, 3(3), 1471–1484. https://currentsignreview.com/index.php/JCS/article/view/338.
Gandikota, P. S. S. K., Valluri, D., Mundru, S. B., Yanala, G. K., & Sushaini, S. (2023). Web Application Security through Comprehensive Vulnerability Assessment. Procedia Computer Science, 230, 168–182. https://doi.org/10.1016/j.procs.2023.12.072.
Izabela Kaźmierak. (2025). Comparison of the effectiveness of tools for testing the security of web applications. Journal of Computer Sciences Institute, 34, 36–43. https://doi.org/10.35784/jcsi.6613.
Kumar, A., Dutta, S., & Prashant Pranav. (2024). Analysis of SQL injection attacks in the cloud and in WEB applications. Security and Privacy. https://doi.org/10.1002/spy2.370.
Lavens, E., Philippaerts, P., & Joosen, W. (2022). A Quantitative Assessment of the Detection Performance of Web Vulnerability Scanners. Proceedings of the 17th International Conference on Availability, Reliability and Security. https://doi.org/10.1145/3538969.3544416.
Nasereddin, M., ALKhamaiseh, A., Qasaimeh, M., & Al-Qassas, R. (2021). A systematic review of detection and prevention techniques of SQL injection attacks. Information Security Journal: A Global Perspective, 32(4), 1–14. https://doi.org/10.1080/19393555.2021.1995537.
Riepponen, M. (2024). Selection of open-source web vulnerability scanner as testing tool in continuous software development. Jyx.jyu.fi. https://jyx.jyu.fi/jyx/Record/jyx_123456789_94465.
Shahid, J., Hameed, M. K., Javed, I. T., Qureshi, K. N., Ali, M., & Crespi, N. (2022). A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions. Applied Sciences, 12(8), 4077. https://doi.org/10.3390/app12084077.
Tliahun E. B., Shalu G., Eshetu B., Perform Scanning and Comparison of Open Source Web Application Testing Tools: Using Strategic Holistic Approach. (2025). Journal of Posthumanism, 5(2), 1377–1402. https://www.ceeol.com/search/article-detail?id=1353363.
