Web application security is a critical aspect of protecting the confidentiality, integrity, and availability of data, where Vulnerability Assessment and Penetration Testing (VAPT) serves as a vital method within the system development lifecycle. This study is motivated by the dilemma faced by security practitioners when choosing testing tools between Zed Attack Proxy (ZAP), an open-source solution with full automation capabilities, and Burp Suite Community, an industry-standard tool that imposes throttling limitations in its free version. This study aims to conduct a comparative analysis of the performance of these two tools on Website XYZ, with a particular focus on the accuracy of detecting OWASP Top 10 vulnerabilities, computational resource efficiency, and the effectiveness of fuzzing and spidering in modern web architectures based on JavaScript/AJAX. The research adopts a systematic VAPT approach, including information gathering, vulnerability scanning, and risk analysis, and employs Youden’s Index as a statistical metric to evaluate diagnostic effectiveness.
The results indicate that OWASP ZAP achieved a True Positive Rate (TPR) of 75% (6 out of 8 based on Youden’s Index), with a Youden’s Index value of 0.625. In terms of computational efficiency, OWASP ZAP completed the fuzzing process in an average of 4.72 seconds, significantly faster than Burp Suite Community, which required an average of 22.56 seconds due to speed limitations in its free Intruder module. Therefore, this study recommends OWASP ZAP as a more effective tool for penetration testing in environments with limited computational resources, given its superior performance in both endpoint detection accuracy and execution time efficiency.

burp suite community; fuzzing; owasp zap; penetration testing; vapt; youden’s index

M. Aydos, Ç. Aldan, E. Coşkun, and A. Soydan, “Security Testing of Web Applications: A Systematic Mapping of the Literature,” J. King Saud Univ. - Comput. Inf. SCI., Vol. 34, No. 9, pp. 6775–6792, Oct. 2022, DOI: 10.1016/j.jksuci.2021.09.018.

S. Supangat, A. R. Amna, and M. Y. F. Rochman, “Penetration Testing and Vulnerability Analysis of SINTA Platform to Strengthen Privacy and Data Protection,” J. Inf. Technol. Cyber Secur., Vol. 3, No. 2, pp. 79–83, Sep. 2025, DOI: 10.30996/jitcs.12216.

E. A. Altulaihan, A. Alismail, and M. Frikha, “A Survey on Web Application Penetration Testing,” Electronics, Vol. 12, No. 5, p. 1229, Mar. 2023, DOI: 10.3390/electronics12051229.

N. P. A. Rainita, A. A. I. C. Athalia, M. D. P. Ananta, I. K. P. T. Pramana, G. A. J. Saskara, and I. M. E. Listartha, “Analisis Perbandingan Vulnerability Scanning pada Website DVWA menggunakan OWASP NIKTO dan Burpsuite,” J. Inform. Dan Tekonologi Komput. JITEK, Vol. 3, No. 2, pp. 89–97, Jul. 2023, DOI: 10.55606/jitek.v3i2.908.

H. Alamsyah, T. Roynaldi, and T. U. Kalsum, “Analisa Sistem Keamanan Web Menggunakan OWASP Zed Attack Proxy (ZAP)”.

M. M. N. Arromadhani and T. Ariyadi, “Analisis Website E-learning Bina Darma menggunakan Metode Web Application Security Project Zap (OWASP ZAP),” Vol. 4, No. 1, 2025.

D. R. Mathew and J. Benjamin, “Penetration Testing and Vulnerability Scanning of Web Application using Burp Suite,” Jul. 2021, DOI: 10.5281/ZENODO.5094090.

R. Choudhary, J. Rawat, and G. Singh, “Comprehensive Exploration of Web Application Security Testing with Burp Suite Tools”.

A. R. Saputra, B. I. Aditya, N. T. Sunggono, and M. B. Ryando, “Analisis Keamanan Website Global Academic Infor-Mation System menggunakan OWASP ZAP dan Model AI Lokal,” JTIM J. Teknol. Inf. Dan Multimed., Vol. 7, No. 3, pp. 409–503, Jul. 2025, DOI: 10.35746/jtim.v7i3.759.

D. Singasatia, M. H. Totohendarto, “Penetration Testing untuk menguji Kerentanan pada Sistem Informasi Akademik di Sekolah Tinggi Teknologi XYZ”.

M. H. Nasrullah, T. R. Widya, L. T. Giantri, D. A. Christanto, and D. Cahyadi, “Vulnerability Assessment of Information Disclosure in Bimasoft CBT,” Bit-Tech, Vol. 8, No. 2, pp. 1285–1294, Dec. 2025, DOI: 10.32877/bt.v8i2.2838.

W. G. Masue, D. Ngondya, and T. S. Kondo, “Assessment of Vulnerabilities in Student Records Web-Based Systems for Public and Private Higher Learning Institutions in Tanzania,” J. ICT Syst., vol. 2, no. 2, pp. 1–28, Aug. 2024, doi: 10.56279/jicts.v2i2.52.

M. Khosiri, “Pengujian dan Analisis Kerentanan Keamanan Website Fakultas Teknik Universitas Islam Madura menggunakan OWASP ZAP, Burp Suite, dan Nikto .,” 2025.

C. Skandylas and M. Asplund, “Automated Penetration Testing: Formalization and Realization,” Comput. Secur., Vol. 155, p. 104454, Aug. 2025, DOI: 10.1016/j.cose.2025.104454.

M. R. Basireddy, “Investigations Into Security Testing Techniques, Tools, and Methodologies for Identifying and Mitigating Securityy Vulnerabilities,” J. Artif. Intell. Mach. Learn. Data SCI., Vol. 2, No. 2, pp. 626–631, May 2024, DOI: 10.51219/JAIMLD/maheswara-reddy-basireddy/161.

I. O. Riandhanu and U. Gunadarma, “Analisis Metode Open Web Application Security Project (OWASP) menggunakan Penetration Testing pada Keamanan Website Absensi,” Vol. 4, No. 3, 2022.

U.-S. Potti, H.-S. Huang, H.-T. Chen, and H.-M. Sun, “Security Testing Framework for Web Applications: Benchmarking ZAP V2.12.0 and V2.13.0 by OWASP as an Example,” 2024.

J. B. L. Sie, Izmy Alwiah Musdar, and Syamsul Bahri, “Pengujian White Box Testing terhadap Website Room menggunakan Teknik Basis Path,” KHARISMA Tech, Vol. 17, No. 2, pp. 45–57, Sep. 2022, DOI: 10.55645/kharismatech.v17i2.235.