COMPARATIVE STUDY OF ZAP AND BURPSUITE FOR SQL INJECTION DETECTION

Abstract

ABSTRACT

This research presents a comprehensive comparative analysis of two prominent web ap plication security scanners OWASP ZAP (Zed Attack Proxy) and Burp Suite Professional in the context of SQL Injection vulnerability detection. The study was conducted within a controlled laboratory environment utilizing Kali Linux as the penetration testing platform and the OWASP Juice Shop as the target vulnerable application. A systematic experimental methodology was employed to evaluate both tools across three critical performance metrics: detection accuracy (including true positive and false positive rates), time efficiency (time-to-detect), and resource utilization. The research addressed the practitioner’s dilemma in tool selection by providing empirical evidence on comparative performance. Results indicated significant differences in detection capabilities, with Burp Suite demonstrating superior accuracy (96.92% vs. 73.85%) particularly in complex SQL Injection scenarios like time-based blind SQLi, while OWASP ZAP showed advantages in resource efficiency and open-source accessibility. The study contributes to the cybersecurity field by establishing a reproducible testing framework and providing evidence-based recommendations for security practitioners. Additionally, the research identifies specific configuration optimizations that can enhance detection performance for both tools, offering practical guidance for organizations facing tool selection decisions. Keywords: SQL Injection, Web Application Security, Vulnerability Assessment, OWASP ZAP, Burp Suite, Penetration Testing, OWASP Juice Shop, Comparative Analysis