Comparative Analysis of Penetration Testing Frameworks: OWASP, PTES, and NIST SP 800-115 for Detecting Web Application Vulnerabilities
DOI:
https://doi.org/10.30871/jaic.v9i6.9846Keywords:
Penetration Testing, OWASP, PTES, NIST SP 800-115, Web Applcation Vulnerabilities, Comparative AnalysisAbstract
Web application security faces increasingly complex challenges as digital architectures evolve, necessitating the selection of appropriate and effective penetration testing methods. This study presents a comparative analysis of the OWASP Testing Guide, PTES, and NIST SP 800-115 frameworks in detecting web application vulnerabilities. Through experiments on DVWA and OWASP Juice Shop, the frameworks were evaluated based on detection speed, vulnerability count, and severity. The results highlight a clear trade-off: OWASP proved the most efficient (85 minutes average, 59 total vulnerabilities), making it ideal for rapid assessments. PTES demonstrated the most comprehensive technical depth (63 vulnerabilities, highest severity) but required the most time, while NIST SP 800-115 (49 vulnerabilities) excelled in compliance and risk management integration. The study recommends selecting OWASP for efficiency, PTES for deep technical audits, and NIST for regulatory alignment.
Downloads
References
[1] O. Bin Tauqeer, S. Jan, A. Omar Khadidos, A. Omar Khadidos, F. Qudus Khan, and S. Khattak, “Analysis of Security Testing Techniques,” Intell. Autom. Soft Comput., vol. 29, no. 1, pp. 291–306, 2021, doi: 10.32604/iasc.2021.017260.
[2] M. C. Ghanem and T. M. Chen, “Reinforcement Learning for Efficient Network Penetration Testing,” Information, vol. 11, no. 1, p. 6, Dec. 2019, doi: 10.3390/info11010006.
[3] R. A. Correa, J. Ram髇 Bermejo Higuera, J. Bermejo Higuera, J. Antonio SiciliaMontalvo, M. S醤chez Rubio, and Alberto Magre襻n, “Hybrid Security AssessmentMethodology forWeb Applications,” Comput. Model. Eng. Sci., vol. 126, no. 1, pp. 89–124, 2021, doi: 10.32604/cmes.2021.010700.
[4] A. G. Bacudio, X. Yuan, B. T. Bill Chu, and M. Jones, “An Overview of Penetration Testing,” Int. J. Netw. Secur. Its Appl., vol. 3, no. 6, pp. 19–38, Nov. 2011, doi: 10.5121/ijnsa.2011.3602.
[5] H.-J. Lu and Y. Yu, “Research on WiFi Penetration Testing with Kali Linux,” Complexity, vol. 2021, no. 1, Jan. 2021, doi: 10.1155/2021/5570001.
[6] S. Jain, R. Johari, and A. Kaur, “PJCT: Penetration testing based JAVA code testing tool,” in International Conference on Computing, Communication & Automation, IEEE, May 2015, pp. 800–805. doi: 10.1109/CCAA.2015.7148483.
[7] M. Peroli, F. De Meo, L. Viganò, and D. Guardini, “MobSTer: A model‐based security testing framework for web applications,” Softw. Testing, Verif. Reliab., vol. 28, no. 8, Dec. 2018, doi: 10.1002/stvr.1685.
[8] H. Nina, J. A. Pow-Sang, and M. Villavicencio, “Systematic Mapping of the Literature on Secure Software Development,” IEEE Access, vol. 9, pp. 36852–36867, 2021, doi: 10.1109/ACCESS.2021.3062388.
[9] R. Baloch, Ethical Hacking and Penetration Testing Guide. Auerbach Publications, 2017. doi: 10.4324/9781315145891.
[10] B. Arkin, S. Stender, and G. McGraw, “Software penetration testing,” IEEE Secur. Priv. Mag., vol. 3, no. 1, pp. 84–87, Jan. 2005, doi: 10.1109/MSP.2005.23.
[11] S. Nagpure and S. Kurkure, “Vulnerability Assessment and Penetration Testing of Web Application,” in 2017 International Conference on Computing, Communication, Control and Automation (ICCUBEA), IEEE, Aug. 2017, pp. 1–6. doi: 10.1109/ICCUBEA.2017.8463920.
[12] A. Alanda, D. Satria, M. I. Ardhana, A. A. Dahlan, and H. A. Mooduto, “Web Application Penetration Testing Using SQL Injection Attack,” JOIV Int. J. Informatics Vis., vol. 5, no. 3, p. 320, Sep. 2021, doi: 10.30630/joiv.5.3.470.
[13] M. Felderer, P. Zech, R. Breu, M. Büchler, and A. Pretschner, “Model-based security testing: a taxonomy and systematic classification,” Softw. Testing, Verif. Reliab., vol. 26, no. 2, pp. 119–148, Mar. 2016, doi: 10.1002/stvr.1580.
[14] M. Cova, V. Felmetsger, and G. Vigna, “Vulnerability Analysis of Web-based Applications,” in Test and Analysis of Web Services, Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 363–394. doi: 10.1007/978-3-540-72912-9_13.
[15] E. Alata, M. Kaaniche, V. Nicomette, and R. Akrout, “An Automated Approach to Generate Web Applications Attack Scenarios,” in 2013 Sixth Latin-American Symposium on Dependable Computing, IEEE, Apr. 2013, pp. 78–85. doi: 10.1109/LADC.2013.22.
[16] R. Amankwah, J. Chen, P. K. Kudjo, and D. Towey, “An empirical comparison of commercial and open‐source web vulnerability scanners,” Softw. Pract. Exp., vol. 50, no. 9, pp. 1842–1857, Sep. 2020, doi: 10.1002/spe.2870.
[17] K. Abdulghaffar, N. Elmrabit, and M. Yousefi, “Enhancing Web Application Security through Automated Penetration Testing with Multiple Vulnerability Scanners,” Computers, vol. 12, no. 11, p. 235, Nov. 2023, doi: 10.3390/computers12110235.
[18] R. Akrout, E. Alata, M. Kaaniche, and V. Nicomette, “An automated black box approach for web vulnerability identification and attack scenario generation,” J. Brazilian Comput. Soc., vol. 20, no. 1, p. 4, Dec. 2014, doi: 10.1186/1678-4804-20-4.
[19] A. V. -, V. -, R. -, and S. S. -, “Finding Vulnerability in Web Application by using Pentesting,” Int. J. Multidiscip. Res., vol. 6, no. 4, Jul. 2024, doi: 10.36948/ijfmr.2024.v06i04.24517.
[20] K. Božić, N. Penevski, and S. Adamović, “Penetration Testing and Vulnerability Assessment: Introduction, Phases, Tools and Methods,” in Proceedings of the International Scientific Conference - Sinteza 2019, Novi Sad, Serbia: Singidunum University, 2019, pp. 229–234. doi: 10.15308/Sinteza-2019-229-234.
[21] D. K. D. Kongara and S. Krishnama, “A Process of Penetration Testing Using Various Tools,” Mesopotamian J. CyberSecurity, vol. 2023, pp. 93–103, Apr. 2023, doi: 10.58496/MJCS/2023/014.
[22] D. F. Priambodo, A. D. Rifansyah, and M. Hasbi, “Penetration Testing Web XYZ Berdasarkan OWASP Risk Rating,” Teknika, vol. 12, no. 1, pp. 33–46, Feb. 2023, doi: 10.34148/teknika.v12i1.571.
[23] I. D. G. G. Dharmawangsa, G. M. A. Sasmita, and I. P. A. E. Pratama, “Penetration Testing Berbasis OWASP Testing Guide Versi 4.2 (Studi Kasus: X Website),” JITTER J. Ilm. Teknol. dan Komput., vol. 4, no. 1, p. 1613, Feb. 2023, doi: 10.24843/JTRTI.2023.v04.i01.p06.
[24] E. Saad and R. Mitchell, OWASP Web Security Testing Guide.
[25] N. Anand, M. A. Saifulla, R. B. Ponnuru, G. R. Alavalapati, R. Patan, and A. H. Gandomi, “Securing Software Defined Networks: A Comprehensive Analysis of Approaches, Applications, and Future Strategies against DoS Attacks,” IEEE Access, vol. 13, no. April, pp. 64473–64515, 2024, doi: 10.1109/ACCESS.2024.3520478.
[26] “PTES (Penetration Testing Execution Standard).” Accessed: Sep. 03, 2025. [Online]. Available: http://www.pentest-standard.org/index.php/Main_Page
[27] G. Erdogan, Y. Li, R. K. Runde, F. Seehusen, and K. Stølen, “Approaches for the combined use of risk analysis and testing: a systematic literature review,” Int. J. Softw. Tools Technol. Transf., vol. 16, no. 5, pp. 627–642, Oct. 2014, doi: 10.1007/s10009-014-0330-5.
[28] K. A. Scarfone, M. P. Souppaya, A. Cody, and A. D. Orebaugh, “Technical guide to information security testing and assessment.,” Gaithersburg, MD, 2008. doi: 10.6028/NIST.SP.800-115.
[29] S. Team, “The Best DVWA (Damn Vulnerable Web Application) 2025 Guide,” stationx.net. Accessed: Nov. 01, 2025. [Online]. Available: https://www.stationx.net/dvwa-damn-vulnerable-web-application/
[30] R. Wood, “Damn Vulnerable Web Application (DVWA),” github. Accessed: Oct. 30, 2025. [Online]. Available: https://github.com/digininja/DVWA
[31] B. Kimminich and J. Hollenbach, “OWASP Juice Shop,” OWASP. Accessed: Oct. 01, 2025. [Online]. Available: https://owasp.org/www-project-juice-shop/
[32] A. J. Vickers et al., “Guidelines for Reporting of Figures and Tables for Clinical Research in Urology,” Eur. Urol., vol. 78, no. 1, pp. 97–109, Jul. 2020, doi: 10.1016/j.eururo.2020.04.048.
[33] Q. Guo et al., “A Survey on Knowledge Graph-Based Recommender Systems,” IEEE Trans. Knowl. Data Eng., vol. 34, no. 8, pp. 3549–3568, Aug. 2022, doi: 10.1109/TKDE.2020.3028705.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Muhamad Bunan Imtias, Khothibul Umam, Hery Mustofa, Moh Hadi Subowo
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License (Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) ) that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
