Efficient Web-Vulnerability Detection Technique Using Hybrid SAST-DAST Analysis and Machine Learning

Abstract

This study presents a lightweight, interpretable machine learning framework that correlates the outputs of static (SAST) and dynamic (DAST) security testing tools to reduce false positives and prioritize true vulnerabilities. Trained on the OWASP Benchmark (2,740 test cases), the Random Forest model achieves F1=0.837, recall=0.943, and reduces false positives by 66.8% compared to standalone DAST. Validation on realistic vulnerable applications (crAPI, WebGoat) showed precision@10=0.70 and 80% alert reduction on crAPI, and precision@20=0.80 with 84% alert reduction on WebGoat. SHAP analysis provides transparency, enabling analysts to understand each prediction.