<![CDATA[Web application security is a critical aspect of protecting the confidentiality, integrity, and availability of data, where Vulnerability Assessment and Penetration Testing (VAPT) serves as a vital method within the system development lifecycle. This study is motivated by the dilemma faced by security practitioners when choosing testing tools between Zed Attack Proxy (ZAP), an open-source solution with full automation capabilities, and Burp Suite Community, an industry-standard tool that imposes throttling limitations in its free version. This study aims to conduct a comparative analysis of the performance of these two tools on Website XYZ, with a particular focus on the accuracy of detecting OWASP Top 10 vulnerabilities, computational resource efficiency, and the effectiveness of fuzzing and spidering in modern web architectures based on JavaScript/AJAX. The research adopts a systematic VAPT approach, including information gathering, vulnerability scanning, and risk analysis, and employs Youden’s Index as a statistical metric to evaluate diagnostic effectiveness. The results indicate that OWASP ZAP achieved a True Positive Rate (TPR) of 75% (6 out of 8 based on Youden’s Index), with a Youden’s Index value of 0.625. In terms of computational efficiency, OWASP ZAP completed the fuzzing process in an average of 4.72 seconds, significantly faster than Burp Suite Community, which required an average of 22.56 seconds due to speed limitations in its free Intruder module. Therefore, this study recommends OWASP ZAP as a more effective tool for penetration testing in environments with limited computational resources, given its superior performance in both endpoint detection accuracy and execution time efficiency.]]>
