JOURNAL OF KING SAUD UNIVERSITY-COMPUTER AND INFORMATION SCIENCES, cilt.34, sa.9, ss.6775-6792, 2022 (SCI-Expanded)
Context: Web application security is a main component of any web-based business. Web applications are subject to attacks from different locations at various levels of scale and complexity. In this context, a large number of testing techniques, tools and frameworks have been proposed by both practitioners and researchers to effectively and efficiently test the security of web applications. Objective: As the number of papers increases in the security of web applications and this research area matures, reviewing and getting an overview of this area is getting challenging for a practitioner or a new researcher. Our objective is to summarize the state-of-the-art in web application security testing which could benefit practitioners to potentially utilize that information. Method: We review and structure the body of knowledge related to web application security testing in the form of a systematic literature mapping (SLM). As part of this study, we pose four sets of research questions, define selection and exclusion criteria, and systematically develop and refine a classification schema. The initial pool consisted of 154 articles. Systematic voting was conducted among the authors regarding the inclusion/exclusion of articles. As a result, there were 80 technical articles in our final pool. Accordance with our inclusion and exclusion criteria, the first article was published in 2005 and this review includes all the papers until the end of 2020. During December 2020, January and February 2021, the search phase has been conducted. Results: This review paper provides an overview of web application security testing with different focused headings. These headings cover contribution types, web security testing tools and their sub fea-tures, specific questions/features to the security testing such as vulnerability types, system under testing (SUT) focused headings and more. Conclusion: The results of this study would benefit researchers working on web application security test-ing. Also, it could be useful for developers who discuss application security while they develop web appli-cations. Thanks to this paper, these researchers could utilize the all results and use them to catch the trend of web application security testing and secure development. (c) 2021 The Authors. Published by Elsevier B.V. on behalf of King Saud University. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).