Analisis Komparatif OWASP ZAP dan Nuclei pada Vulnerability Scanning Non-Intrusive Aplikasi Web E-Commerce Publik

Bambang Harie Wiyono; Rintan Madi Sari; Lukman Rosyidi

doi:10.47065/tin.v7i1.10143

Bambang Harie Wiyono Sekolah Tinggi Teknologi Terpadu Nurul Fikri, Depok, Indonesia
Rintan Madi Sari * Sekolah Tinggi Teknologi Terpadu Nurul Fikri, Depok, Indonesia
Lukman Rosyidi Sekolah Tinggi Teknologi Terpadu Nurul Fikri, Depok, Indonesia

(*) Corresponding Author

DOI: https://doi.org/10.47065/tin.v7i1.10143

Keywords: Web Security; E-Commerce; Vulnerability Scanning; OWASP ZAP; Nuclei

Abstract

This study discusses a comparative analysis of non-intrusive vulnerability scanning results on public e-commerce web applications using OWASP ZAP and Nuclei. This study is not intended to directly prove vulnerability exploitation, but rather to evaluate the characteristics of scanning outputs based on the number of aggregate findings, unique findings after deduplication, CVSS v3.1 severity distribution, OWASP Top 10 mapping, overlap, and priority findings that require manual validation. Testing was conducted using a black-box and non-intrusive approach on five targets coded E1 to E5. The coding was applied to maintain testing ethics on public targets, while target selection was based on open web application access, relevance to the e-commerce context, and variations in service characteristics that could be observed externally. The results showed 83 aggregate findings, consisting of 68 OWASP ZAP findings and 15 Nuclei findings. After the normalization and deduplication process, 81 unique findings were obtained with 2 overlapping findings. OWASP ZAP produced more consistent outputs across several targets and was dominant in the Security Misconfiguration category, particularly security headers, Content Security Policy, cache-control, and cookie attributes. Meanwhile, Nuclei produced fewer findings but made an important contribution by detecting 5 Critical findings and 3 High findings, especially on target E4. The limitation of this study lies in output constraints on several targets; therefore, the scanning results cannot be interpreted as the final security condition of the targets, but rather as initial technical indications that require further validation. This study does not measure precision, recall, false positive rate, or scanning time efficiency because the testing was conducted on public targets under non-intrusive limitations and without Proof of Concept. The results indicate that the combination of OWASP ZAP and Nuclei provides more complete analysis coverage than the use of a single scanner because both have different and complementary detection characteristics.

Downloads

Download data is not yet available.

References

Abdulghaffar, K., Elmrabit, N., & Yousefi, M. (2023). Enhancing Web Application Security through Automated Penetration Testing with Multiple Vulnerability Scanners. Computers, 12(11). https://doi.org/10.3390/computers12110235

Abdullah, M., Nawaz, M. M., Saleem, B., Zahra, M., Ashfaq, E. binte, & Muhammad, Z. (2025). Evolution Cybercrime—Key Trends, Cybersecurity Threats, and Mitigation Strategies from Historical Data. In Analytics (Vol. 4, Number 3). Multidisciplinary Digital Publishing Institute (MDPI). https://doi.org/10.3390/analytics4030025

Alazmi, S., & De Leon, D. C. (2022). A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability Scanners. In IEEE Access (Vol. 10, pp. 33200–33219). Institute of Electrical and Electronics Engineers Inc. https://doi.org/10.1109/ACCESS.2022.3161522

Althunayyan, M., Saxena, N., Li, S., & Gope, P. (2022). Evaluation of Black-Box Web Application Security Scanners in Detecting Injection Vulnerabilities. Electronics (Switzerland), 11(13). https://doi.org/10.3390/electronics11132049

Altulaihan, E. A., Alismail, A., & Frikha, M. (2023). A Survey on Web Application Penetration Testing. In Electronics (Switzerland) (Vol. 12, Number 5). MDPI. https://doi.org/10.3390/electronics12051229

Aydos, M., Aldan, Ç., Coşkun, E., & Soydan, A. (2022). Security testing of web applications: A systematic mapping of the literature. In Journal of King Saud University - Computer and Information Sciences (Vol. 34, Number 9, pp. 6775–6792). King Saud bin Abdulaziz University. https://doi.org/10.1016/j.jksuci.2021.09.018

Kondraciuk, A., Bartos, A., & Pańczyk, B. (2022). Comparative analysis of the effectiveness of OWASP ZAP, Burp Suite, Nikto and Skipfish in testing the security of web applications. Journal of Computer Sciences Institute, 24, 176–180. https://doi.org/10.35784/jcsi.2929

Fandier Saragih, N., Reinhard Tamalawe, & Indra M Sarkis. (2023). Analisis Dan Implementasi Secure Code Pada Pengembangan Sistem Keamanan Website Fikom-Methodist.Com Menggunakan Penetration Testing Dan OWASP ZAP. Jurnal TIMES, 12(1), 28–39. https://doi.org/10.51351/jtm.12.1.2023690

Izzat, M., Saputra, F. A., & Syarif, I. (2025). Design and Implementation of Distributed Web Application Vulnerability Assessment Tools for Securing Complex Microservices Environment. International Journal of Safety and Security Engineering, 15(2), 267–273. https://doi.org/10.18280/ijsse.150207

Koman, J., & Janiszewski, M. (2025). SCAnME - Scanner Comparative Analysis And Metrics For Evaluation. International Journal of Information Security, 24(3). https://doi.org/10.1007/s10207-025-01054-8

Liu, X., Ahmad, S. F., Anser, M. K., Ke, J., Irshad, M., Ul-Haq, J., & Abbas, S. (2022). Cyber security threats: A never-ending challenge for e-commerce. Frontiers in Psychology, 13. https://doi.org/10.3389/fpsyg.2022.927398

Mohammed, A., Alkhathami, J., Alsuwat, H., & Alsuwat, E. (2021). Security of Web Applications: Threats, Vulnerabilities, and Protection Methods. IJCSNS International Journal of Computer Science and Network Security, 21(8), 167. https://doi.org/10.22937/IJCSNS.2021.21.8.22

Rahman, A., Indra, I., Zulkarnaim, N., Mukhram, M., & Rizaldi, A. (2025). Analisis Implementasi Nucklei Vulnerability Dan OWASP-ZAP Scanner Untuk Deteksi Kerentanan Keamanan (Secure System) Pada Platform Web Based. Jurnal Komputer Terapan, 11(1), 10–15. https://doi.org/10.35143/jkt.v11i1.6430

Sarpong, P. A., Larbi, L. S., Paa, D. P., Abdulai, I. B., Amankwah, R., & Amponsah, A. (2021). Performance Evaluation of Open Source Web Application Vulnerability Scanners based on OWASP Benchmark. International Journal of Computer Applications, 174(18), 15–22. https://doi.org/10.5120/ijca2021921070

Shahid, J., Hameed, M. K., Javed, I. T., Qureshi, K. N., Ali, M., & Crespi, N. (2022). A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions. Applied Sciences (Switzerland), 12(8). https://doi.org/10.3390/app12084077

Sufi, F. (2024). A New Time Series Dataset for Cyber-Threat Correlation, Regression and Neural-Network-Based Forecasting. Information (Switzerland), 15(4). https://doi.org/10.3390/info15040199

Wardana, W., Almaarif, A., & Widjajarto, A. (2022). Vulnerability Assessment and Penetration Testing On The XYZ Website Using NIST 800-115 Standard. Syntax Literate ; Jurnal Ilmiah Indonesia, 7(1), 520. https://doi.org/10.36418/syntax-literate.v7i1.5800

Yuzar, A., & Rahmatulloh, A. (2025). Perbandingan Efektivitas OWASP ZAP, Acunetix, Nikto Menggunakan Vulnerability Scanning Untuk Deteksi Kerentanan Aplikasi Web. JATI (Jurnal Mahasiswa Teknik Informatika), 9(2), 2975–2982. https://doi.org/10.36040/jati.v9i2.13227

Bila bermanfaat silahkan share artikel ini

Berikan Komentar Anda terhadap artikel Analisis Komparatif OWASP ZAP dan Nuclei pada Vulnerability Scanning Non-Intrusive Aplikasi Web E-Commerce Publik