This paper sheds light on the findings of security testing of Java Server Faces (JSF). JSF has been widely used as an open source web framework for developing efficient applications using J2EE. JSF is compared with ASP.NET framework to unearth potential security flaws. In present times, software security has become an indispensable part of software development life cycle. The penetration testing approach varies with respect to web development frameworks and platforms. With the advent of advanced level of attacks, it has become crucial to raise the standards of penetration testing. An aggressive security testing approach is required to detect the inherent vulnerabilities and to develop robust security solutions in order to thwart sophisticated attacks.