This study aims to analyze and improve the security of the SawitGoDigi Palm Oil Harvest Recording Information System using grey-box and white-box testing approaches. The system is used by farmers, agents, drivers, and administrators to manage land data, harvest results, distribution, and transaction records, which makes it highly exposed to security risks if vulnerabilities are present. The security testing process was conducted based on the OWASP Web Security Testing Guide (WSTG) v4.2 and the OWASP Risk Rating Methodology. The testing stages included reconnaissance, automated scanning using OWASP ZAP, manual exploitation, risk evaluation, implementation of security improvements, and retesting. The results revealed several significant vulnerabilities, including SQL Injection in the search feature, weak session management through the trusted_device cookie, and the absence of a rate-limiting mechanism that enabled brute-force attacks during the login process. The risk assessment indicated that SQL Injection and session hijacking were classified as High risk, while brute-force attacks were categorized as Medium risk. Security improvements were implemented through the use of prepared statements, strengthening cookie attributes, adding security headers, and implementing rate limiting. Retesting results confirmed that all identified vulnerabilities were successfully mitigated and reduced to a Low-risk level. This study demonstrates that a comprehensive security testing approach, which includes exploitation, remediation, and verification through retesting, can significantly enhance the security of agribusiness web applications. Furthermore, the findings show that before remediation, the system contained four vulnerabilities with High and Medium risk levels, namely SQL Injection, Session Hijacking, Brute-Force Login, and Security Misconfiguration. After the remediation and retesting process, all High- and Medium-risk vulnerabilities were successfully reduced to Low risk or marked as Closed, indicating that the system is secure for operational use.

web application security; OWASP; penetration testing; grey-box testing; agribusiness system

O. Patricia, A. B. Wahabbi, E. Syafrianto, F. K. Putra, and C. L. Andesti, “Sawit Kita WebApp Development: Artificial-based E-Learning Intelligence and Community to Drive Actual Information Collaboration and Innovation of Palm Oil Farmers In Indonesia,” Indonesian Journal of Artificial Intelligence and Data Mining, Vol. 7, No. 2, p. 460, Jul. 2024, DOI: 10.24014/ijaidm.v7i2.31366.

I. Nursaada, “Perancangan Sistem Informasi Pelaporan Administrasi Harian Pekerja Sawit PT. Sintang Raya berbasis Web Design of Web-based Daily Administration Reporting Information System for Palm Oil Workers at PT. Sintang Raya,” Jurnal Intelek Insan Cendikia, Vol. 2, pp. 3047–7824, May 2025. [Online]. Available: https://jicnusantara.com/index.php/jiic

OWASP Foundation, “OWASP Top 10 - 2021,” OWASP. [Online]. Available: https://owasp.org/Top10/2021/A00_2021_Introduction/index.html. Accessed: Dec. 10, 2025.

BSSN, “Lanskap Keamanan Siber Indonesia,” Jakarta, 2023.

D. Rohmaniah, W. M. Ashari, and A. Dwi Putra, “Enhancing Website Security using Vulnerability Assessment and Penetration Testing (VAPT) based on OWASP Top Ten,” Journal of Applied Informatics and Computing (JAIC), Vol. 9, No. 2, p. 404, Apr. 2025. [Online]. Available: http://jurnal.polibatam.ac.id/index.php/JAIC

A. F. Sebrina, “Pengujian Celah Keamanan Website Posketanmu dengan Google Penetration Testing dan OWASP Top 10,” Skripsi, Univ. Pembangunan Nasional “Veteran” Jawa Timur, Surabaya, Indonesia, 2024.

F. Indryani, I. Susanto, and D. M. Kusumawardani, “Rekomendasi Perbaikan Website E-Makaryo berdasarkan Analisis Kepuasan Pengguna menggunakan Metode End User Computing Satisfaction (EUCS),” Remik, Vol. 6, No. 3, pp. 465–474, Aug. 2022, DOI: 10.33395/remik.v6i3.11629.

Z. Faizi, A. A. Ridha, U. Singaperbangsa Karawang, J. HSRonggo Waluyo, T. Timur, and J. Barat, “Analisis Web Security Hole menggunakan Metode Penetration Testing Execution and Standard (Studi Kasus : Universitas Singaperbangsa Karawang),” Jurnal informasi dan Komputer, Vol. 11, No. 2, p. 2023.

F. Fachri, “Optimasi Keamanan Web Server Terhadap Serangan Brute-Force menggunakan Penetration Testing,” Jurnal Teknologi Informasi dan Ilmu Komputer, Vol. 10, No. 1, pp. 51–58, Feb. 2023, DOI: 10.25126/jtiik.2023105872.

G. H. A. Kusuma, “Implementasi OWASP ZAP untuk Pengujian Keamanan Sistem Informasi Akademik,” Jurnal Teknologi Informasi, Vol. 16, No. 2, pp. 2656–0321, Aug. 2022.

Nurasmawati, Mansur, and Nurmi Hidayasari, “Analisis Kerentanan Keamanan pada Website Kelurahan Rimba Sekampung dengan menggunakan Framework OWASP ZAP,” Jurnal Teknik Industri Terintegrasi, Vol. 8, No. 4, pp. 3848–3861, 2025.

K. A. Scarfone, M. P. Souppaya, A. Cody, and A. D. Orebaugh, “Technical Guide to Information Security Testing and Assessment.,” Gaithersburg, MD, 2008. DOI: 10.6028/NIST.SP.800-115.

OWASP Foundation, “OWASP Web Security Testing Guide,” OWASP. [Online]. Available: https://owasp.org/www-project-web-security-testing-guide. Accessed: Dec. 10, 2025.

OWASP Foundation, “OWASP Risk Rating Methodology,” OWASP. [Online]. Available: https://owasp.org/www-community/OWASP_Risk_Rating_Methodology. Accessed: Dec. 10, 2025.

C. C. Echefunna, J. Osamor, C. Iwendi, P. Owoh, M. Ashawa, and A. Philip, “Evaluation of Information Security in Web Application Through Penetration Testing Techniques using OWASP Risk Methodology,” in 2024 International Conference on Advances in Computing Research on Science Engineering and Technology, ACROSET 2024, Institute of Electrical and Electronics Engineers Inc., 2024. DOI: 10.1109/ACROSET62108.2024.10743903.

A. N. Riswanto and D. J. Lubis, “Implementasi One-Time Password (OTP) menggunakan Random Forest,” Jurnal Ilmiah Informatika dan Komputer, Vol. 1, No. 1, pp. 23–29, Jun. 2024.

I. Gumeraruloh Arianto, W. Witanti, H. Ashaury, T. Informatika, and U. Jenderal Achmad Yani, “Sistem Keamanan Otentikasi Pengguna pada Modul Single Sign On menggunakan OAuth 2.0 dan One Time Password,” 2025. [Online]. Available: http://creativecommons.org/licences/by/4.0/

S. S. Tohidi, D. Cali, M. Tamm, J. Ortiz, J. Salom, and H. Madsen, “From White-Box to Grey-Box Modelling of the Heat Dynamics of Buildings,” in E3S Web of Conferences, EDP Sciences, Dec. 2022. doi: 10.1051/e3sconf/202236212002.

H. Feng, S. Li, H. Shi, and Z. Ye, “A Comparative Analysis of White Box and Gray Box Adversarial Attacks to Natural Language Processing Systems,” 2024, pp. 640–646. DOI: 10.2991/978-94-6463-540-9_65.