An empirical comparison of commercial and open-source web vulnerability scanners

Richard Amankwah, Jinfu Chen, Patrick Kwaku Kudjo, Dave Towey

Research output: Journal PublicationArticlepeer-review

23 Citations (Scopus)
141 Downloads (Pure)


Web vulnerability scanners (WVSs) are tools that can detect security vulnerabilities in web services. Although both commercial and open-source WVSs exist, their vulnerability detection capability and performance vary. In this article, we report on a comparative study to determine the vulnerability detection capabilities of eight WVSs (both open and commercial) using two vulnerable web applications: WebGoat and Damn vulnerable web application. The eight WVSs studied were: Acunetix; HP WebInspect; IBM AppScan; OWASP ZAP; Skipfish; Arachni; Vega; and Iron WASP. The performance was evaluated using multiple evaluation metrics: precision; recall; Youden index; OWASP web benchmark evaluation; and the web application security scanner evaluation criteria. The experimental results show that, while the commercial scanners are effective in detecting security vulnerabilities, some open-source scanners (such as ZAP and Skipfish) can also be effective. In summary, this study recommends improving the vulnerability detection capabilities of both the open-source and commercial scanners to enhance code coverage and the detection rate, and to reduce the number of false-positives.

Original languageEnglish
Pages (from-to)1842-1857
Number of pages16
JournalSoftware - Practice and Experience
Issue number9
Publication statusPublished - 1 Sept 2020


  • commercial scanners
  • detection capability
  • open-source scanners
  • software vulnerability
  • vulnerable web application

ASJC Scopus subject areas

  • Software


Dive into the research topics of 'An empirical comparison of commercial and open-source web vulnerability scanners'. Together they form a unique fingerprint.

Cite this