Based on game theory, we analyse the attack-defence process between penetration testers and system defenders related to web vulnerabilities, and we propose a web security assessment and strategy optimisation based on attack-defence games. First, according to the actual process of the network, we build a web attack-defence game model that considers the multiple influence parameters of web vulnerabilities on the profitability of attack and defence. These parameters include the difficulty of vulnerability exploitation and detection, the influence of vulnerability hazards, and the prevalence of vulnerabilities. In addition, we quantify the decision cost and the ability of both attack and defence subjects using the Nash equilibrium principle to obtain the best attack and defence strategies corresponding to the defender. Experiments verified the effectiveness of the model proposed in this paper, focusing on the specific impact of the different capabilities of the two parties and the different decision costs of the benefits. This can not only enhance the penetration success rate of the penetration tester but also allow the system defender to make targeted defence enhancements to the system based on the defence payoff matrix.