Web application security has become a critical concern as cyber threats evolve in sophistication and frequency. This study analyzes vulnerabilities in modern web applications using the black-box penetration testing method based on the OWASP Top 10:2025 framework within an isolated environment. The research employs VulnApp, an intentionally vulnerable web application deployed as a controlled research target, tested using three open-source DAST tools: Nmap, Nikto, and manual exploitation techniques following stages of reconnaissance, scanning, exploitation, and reporting. Results indicate 24 verified vulnerabilities distributed across 8 of 10 OWASP Top 10:2025 categories, with the combination of tools achieving a Detection Rate (DR) of 83.3%, F1-Score of 0.889, and a Risk Score Composite (RSC) of 7.39, indicating a high-risk application profile. The highest severity findings were identified in Injection (A05, CVSS 9.8), Authentication Failures (A07, CVSS 8.8), and Broken Access Control (A01, CVSS 8.1). The isolated containerized environment proved effective as a reproducible and legally compliant research laboratory.
Copyrights © 2026