Security Analysis of the Final Project Information System (SITASI) Website using Penetration Testing Method

Rengga Renaldi, Mona Fronita, Tengku Khairil Ahsyar, Muhammad Jazman

Abstract


The Final Project Information System (SITASI) website plays a critical role in supporting academic administrative processes at the Faculty of Science and Technology, UIN Sultan Syarif Kasim Riau. This study aims to evaluate the website’s security level following recent maintenance using penetration testing, conducted with the OWASP Zed Attack Proxy (ZAP) tool. The testing revealed eight vulnerabilities, including two classified as medium risk, four as low risk, and two informational. The medium-risk issues involved the absence of an Anti-CSRF token and the lack of a Content Security Policy (CSP), both of which could expose the system to attacks such as CSRF and XSS. The low-risk findings included loading JavaScript from third-party domains, information disclosure via X-Powered-By and Server headers, and the absence of HTTP Strict Transport Security (HSTS). The two informational findings involved suspicious comments in the code and improper Cache-Control settings. Remediation actions were implemented based on OWASP security best practices, including the integration of CSRF tokens, configuration of CSP and HSTS headers, and removal of sensitive information from server responses. A follow-up evaluation confirmed that all identified risks had been successfully mitigated. This study highlights that penetration testing combined with standard-based mitigation is effective in enhancing web application security resilience, particularly within academic environments.

Keywords


penetration testing; OWASP ZAP; website security

Full Text:

PDF

References


Y. Mulyanto, E. Haryanti, dan J. Jumirah, “Analisis Keamanan Website SMAN 1 Sumbawa menggunakan Metode Vulnerability Asesement: Analisis Keamanan Website SMAN 1 Sumbawa menggunakan Metode Vulnerability Asesement,” Jurnal Informatika Teknologi dan Sains (Jinteks), Vol. 3, No. 3, hlm. 394–400, 2021.

A. Prahendratno dkk., Strategi Bisnis Digital: Optimalisasi & Otomtisasi Sebuah Bisnis menggunakaan Media Digital. PT. Sonpedia Publishing Indonesia, 2023.

M. R. Ardiansyah dkk., “Analisis Kerentanan Keamanan Website menggunakan Metode PTES (Penetration Testing Execution And Standart),” Nuansa Informatika, Vol. 18, No. 2, hlm. 145–153, 2024.

A. F. Hasibuan dan D. Handoko, “Analisis Keretanan Website dengan Aplikasi Owasp Zap,” Jurnal Ilmu Komputer dan Sistem Informasi, Vol. 2, No. 2, hlm. 257–270, 2023.

H. Sofyan, M. Sugiarto, dan B. M. Akbar, “Implementation of Penetration Testing on Websites to Improve Security of Information Assets UPN ‘Veteran’ Yogyakarta,” Telematika: Jurnal Informatika dan Teknologi Informasi, Vol. 20, No. 2, hlm. 153–162, 2023.

Y. T. A. Rosaliah, J. Jayanta, dan B. Hananto, “Pengujian Celah Keamanan Website menggunakan Teknik Penetration Testing dan Metode OWASP TOP 10 pada Website SIM xxx,” dalam Prosiding Seminar Nasional Mahasiswa Bidang Ilmu Komputer dan Aplikasinya, 2021, hlm. 752–761.

B. Ghozali, K. Kusrini, dan S. Sudarmawan, “Mendeteksi Kerentanan Keamanan Aplikasi Website menggunakan Metode Owasp (Open Web Application Security Project) untuk Penilaian Risk Rating,” Creative Information Technology Journal, Vol. 4, No. 4, hlm. 264–275, 2019.

F. Fachri, A. Fadlil, I. Riadi, A. Dahlan, Y. Jln Soepomo, dan I. Artikel, “Analisis Keamanan Webserver menggunakan Penetration Test,” J. Inform, Vol. 8, No. 2, hlm. 183–190, 2021.

E. Abdillah, R. Khoriyah, A. Abqariy, dan P. Susilo, “Pengembangan Keamanan Website menggunakan Teknik Penetration Testing dan DAST (Dynamic Application Security Testing),” Media Jurnal Informatika, Vol. 14, hlm. 112, Des 2022, doi: 10.35194/mji.v14i2.2546.

J. N. Ginting, “Perancangan dan Pembuatan Sistem Informasi Penerimaan Mahasiswa Baru berbasis Website,” Jurnal Nasional Teknologi Komputer, Vol. 2, No. 2, hlm. 51–59, 2022.

W. Wiyanto, S. Fadhilah, dan A. Siswandi, “E-Tourism sebagai Media Wisata Kabupaten Bekasi berbasis Website,” Journal of Practical Computer Science, Vol. 2, No. 1, hlm. 1–14, 2022, doi: 10.37366/jpcs.v2i1.1035.

S. Hidayatulloh dan D. Saptadiaji, “Penetration Testing pada Website Universitas ARS menggunakan Open Web Application Security Project (OWASP),” Jurnal Algoritma, Vol. 18, No. 1, hlm. 77–86, 2021.

D. F. Priambodo, A. D. Rifansyah, dan M. Hasbi, “Penetration Testing Web XYZ berdasarkan OWASP Risk Rating,” Teknika, Vol. 12, No. 1, hlm. 33–46, 2023.

G. Guntoro, L. Costaner, dan M. Musfawati, “Analisis Keamanan Web Server Open Journal System (OJS) menggunakan Metode ISSAF dan OWASP (Studi Kasus OJS Universitas Lancang Kuning),” JIPI (Jurnal Ilmiah Penelitian Dan Pembelajaran Informatika), Vol. 5, No. 1, hlm. 45–55, 2020.

P. Jarupunphol, S. Seatun, dan W. Buathong, “Measuring Vulnerability Assessment Tools’ Performance on the University Web Application.,” Pertanika J Sci Technol, Vol. 31, No. 6, 2023.

Y. Yudiana, A. Elanda, dan R. L. Buana, “Analisis Kualitas Keamanan Sistem Informasi E-Office berbasis Website pada STMIK Rosma dengan menggunakan OWASP Top 10,” CESS (Journal of Computer Engineering, System and Science), Vol. 6, No. 2, hlm. 185–191, 2021.

G. H. Editya dan S. Mulyati, “Aplikasi Mobile One Time Password nenggunakan Algoritma MD5 dan SHA1 untuk meningkatkan Keamanan Website,” SKANIKA: Sistem Komputer dan Teknik Informatika, Vol. 1, No. 2, hlm. 618–623, 2018.

J. T. Santoso, “Teknologi Keamanan Siber (Cyber Security),” Penerbit Yayasan Prima Agus Teknik, hlm. 1–173, 2023.




DOI: https://doi.org/10.32520/stmsi.v14i5.5406

Article Metrics

Abstract view : 0 times
PDF - 0 times

Refbacks

  • There are currently no refbacks.


Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.