Vulnerability Assessment and Penetration Testing on Student Service Center System


Khairunnisak Isnaini(1*); Muhammad Hasyim Asyari(2); Sigit Fathu Amrillah(3); Didit Suhartono(4);

(1) Universitas Amikom Purwokerto
(2) Universitas Amikom Purwokerto
(3) Universitas Amikom Purwokerto
(4) Universitas Amikom Purwokerto
(*) Corresponding Author

  

Abstract


The number of system breaches has recently increased across various sectors, including the education sector. These breaches are carried out through various methods such as SQL Injection, XSS Attack, web defacement, malware, and others. Security vulnerabilities in the system also pose a potential threat to the Student Service Center owned by XYZ University, which stores a significant amount of confidential and sensitive data. The worst impact of all is the system is paralyzed, damaging the ongoing performance and reputation of institutions. The purpose of this research is to identify security vulnerabilities in the system using the Vulnerability Assessment and Penetration Testing (VAPT) method. The results showed that the system identified file upload functionality that poses a risk of being exploited for security attacks. Additionally, file path traversal can allow unauthorized access to directories, potentially enabling the injection of malicious code. Future research could explore the application of machine learning to enhance security measures and streamline the penetration testing process


Keywords


Information Security; Penetration Testing; Security; Vulnerability; Vulnerability Assessment and Penetration Testing (VAPT)

  
  

Full Text:

PDF
  

Article Metrics

Abstract view: 150 times
PDF view: 96 times
     

Digital Object Identifier

doi  https://doi.org/10.33096/ilkom.v16i2.1969.161-171
  

Cite

References


A. Saeful, “Teknologi Dalam Bingkai Pendidikan,” AL Fikr. J. Pemikir. dan Pendidik. Islam, vol. 2, no. 1, pp. 41–54, 2022, doi : 10.51476/alfikrah.v2i1.357.

A. R. M. Aditya, A. W. O. K. Putri, D. L. Musthofa, and P. Widodo, “Serangan Hacking Tools sebagai Ancaman Siber dalam Sistem Pertahanan Negara (Studi Kasus: Predator),” Glob. Polit. Stud. J., vol. 6, no. 1, pp. 35–46, 2022, doi : 10.34010/gpsjournal.v6i1.6698.

K. Isnaini, G. J. Nofita Sari, and A. P. Kuncoro, “Analisis Risiko Keamanan Informasi Menggunakan ISO 27005:2019 pada Aplikasi Sistem Pelayanan Desa,” J. Eksplora Inform., vol. 13, no. 1, pp. 37–45, 2023, doi : 10.30864/eksplora.v13i1.696.

K. N. Isnaini and D. Suhartono, “Security Analysis of Simpel Desa using Mobile Security Framework and ISO 27002:2013,” INTENSIF J. Ilm. Penelit. dan Penerapan Teknol. Sist. Inf., vol. 7, no. 1, pp. 84–105, 2023, doi : 10.29407/intensif.v7i1.18742.

Incident Response Team BSSN, “Paduan Penanganan Insiden Web Defacement Judi Online,” Badan Siber dan Sandi Negara, 2023.

M. Albalawi, R. Aloufi, N. Alamrani, N. Albalawi, A. Aljaedi, and A. R. Alharbi, “Website Defacement Detection and Monitoring Methods: A Review,” Electron., vol. 11, no. 21, 2022, doi: 10.3390/electronics11213573.

T. H. Nguyen, X. Dau Hoang, and D. D. Nguyen, “Detecting Website Defacement Attacks using Web-page Text and Image Features,” Int. J. Adv. Comput. Sci. Appl., vol. 12, no. 7, pp. 215–222, 2021, doi: 10.14569/IJACSA.2021.0120725.

M. Fadli Mutaqin and D. Ferdiansyah, “Identifikasi Kerentanan Terhadap Serangan Slot Backdoor Pada Website di Indonesia Dengan Menggunakan Metode OSINT,” J. Pas. Inform., vol. 1, no. 2, pp. 2986–5360, 2022.

D. Suhartono and K. N. Isnaini, “Strategi Recovery Plan Teknologi Informasi di Perguruan Tinggi Menggunakan Framework NIST SP 800-34,” MATRIK J. Manajemen, Tek. Inform. dan Rekayasa Komput., vol. 20, no. 2, pp. 261–272, 2021, doi: 10.30812/matrik.v20i2.1097.

A. A. Almutairi, S. Mishra, and M. AlShehri, “Web Security: Emerging Threats and Defense,” Comput. Syst. Sci. Eng., vol. 40, no. 3, pp. 1233–1248, 2021.

H. Kapodistria, S. Mitropoulos, and C. Douligeris, “An advanced web attack detection and prevention tool,” Inf. Manag. Comput. Secur., vol. 19, no. 5, pp. 280–299, 2011, doi: 10.1108/09685221111188584.

J. Huang, Y. Li, J. Zhang, and R. Dai, “UChecker: Automatically Detecting PHP-Based Unrestricted File Upload Vulnerabilities,” in 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, 2019, no. June 2019, pp. 581–592, doi: 10.1109/DSN.2019.00064.

J. Huang, J. Zhang, J. Liu, C. Li, and R. Dai, “UFuzzer: Lightweight Detection of PHP-based unrestricted file upload vulnerabilities via static-fuzzing co-analysis,” in RAID ’21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses, 2021, pp. 78–90, doi: 10.1145/3471621.3471859.

A. D. Riyanto, M. Pinilih, A. Oktaviani, and E. Riyani, “Evaluasi Website Universitas Amikom Purwokerto,” JATISI, vol. 9, no. 2, pp. 1–5, 2022.

E. Marwati and D. Krisbiantoro, “Analisis Tingkat Kepuasan Pengguna Web Students Universitas Amikom Purwokerto Menggunakan Metode Eucs,” J. Inf. Syst. Manag., vol. 4, no. 2, pp. 67–72, 2023, doi: 10.24076/joism.2023v4i2.902.

W. B. Demilie and F. G. Deriba, “Detection and prevention of SQLI attacks and developing compressive framework using machine learning and hybrid techniques,” J. Big Data, vol. 9, no. 1, 2022.

A. Alanda, D. Satria, M. Isthofa Ardhana, A. A. Dahlan, and A. Mooduto, “Web Application Penetration Testing Using SQL Injection Attack,” JOIV Int. J. Informatics Vis., vol. 5, no. September, pp. 320–326, 2021, doi : 10.30630/joiv.5.3.470.

A. Alotaibi, L. Alghufaili, and D. M. Ibrahim, “Cross Site Scripting Attack Review,” ISeCure, vol. 13, no. 3 Special Issue, pp. 21–30, 2021.

R. Ananda Putra, I. Alnaurus Kautsar, HIndarto, and Sumarno, “Detection and Prevention of Insecure Direct Object References (IDOR) in Website-Based Applications Deteksi dan Pencegahan Insecure Direct Object References (IDOR) Pada Aplikasi Berbasis Website,” in Seminar Nasional & Call Paper Fakultas Sains dan Teknologi, 2023, vol. 4, no. June, doi: 10.1186/s40537-022-00678-0.

A. Fadlil, I. Riadi, and F. Fachri, “Mitigation Web Server for Cross-Site Scripting Attack Using Penetration Testing Method,” Int. J. Saf. Secur. Eng., vol. 12, no. 2, pp. 201–208, 2022.

B. Fachriandi and T. Dirgahayu, “Kepedulian Keamanan Informasi di Pemerintahan: Praktik Manajemen dan Dampaknya,” J. Manaj. Inform., vol. 11, no. 1, pp. 72–87, 2021, doi: 10.34010/jamika.v11i1.4584.

H. M. Adam and G. D. Putra, “A Review of Penetration Testing Frameworks , Tools , and Application Areas,” in 2023 IEEE 7th International Conference on Information Technology, Information Systems and Electrical Engineering (ICITISEE), 2024, no. November 2023, pp. 319–324, doi: 10.1109/ICITISEE58992.2023.10404397.

Clintswood, D. G. Lie, L. Kuswandana, Nadia, S. Achmad, and D. Suhartono, “The Usage of Machine Learning on Penetration Testing Automation,” in International Conference on Electronic and Electrical Engineering and Intelligent System (ICE3IS), 2023, no. February 2024, doi: 10.1109/ICE3IS59323.2023.10335188.

A. Hasan and D. Meva, “Web Application Safety by Penetration Testing,” in International Conference on Cyber Security (ICCS), 2018, no. March, pp. 159–163.

M. F. Safitra, M. Lubis, and A. Widjajarto, “Security Vulnerability Analysis using Penetration Testing Execution Standard (PTES): Case Study of Government’s Website,” in Proceedings of the 2023 6th International Conference on Electronics, Communications and Control Engineering, 2023, no. August, pp. 139–145, doi: 10.1145/3592307.3592329.

L. Wang, R. Abbas, F. M. Almansour, G. S. Gaba, R. Alroobaea, and M. Masud, “An empirical study on vulnerability assessment and penetration detection for highly sensitive networks,” J. Intell. Syst., vol. 30, no. 1, pp. 592–603, 2021.

A. Almaarif and M. Lubis, “Vulnerability Assessment and Penetration Testing (VAPT) Framework: Case Study of Government’s Website,” Int. J. Adv. Sci. Eng. Inf. Technol., vol. 10, no. 5, pp. 1874–1880, 2020, doi: 10.18517/ijaseit.10.5.8862.

N. E. A. Ismail, N. H. Ali, M. A. Jalil, F. Yunus, and A. D. Jarno, “A Proposed Framework of Vulnerability Assessment and Penetration Testing (VAPT) in Cloud Computing Environments from Penetration Tester Perspective,” J. Adv. Res. Appl. Sci. Eng. Technol., vol. 39, no. 1, pp. 1–14, 2024, doi: 10.37934/araset.39.1.114.

B. W. Retna Mulya and A. Tarigan, “Pemeringkatan Risiko Keamanan Sistem Jaringan Komputer Politeknik Kota Malang Menggunakan Cvss Dan Fmea,” Ilk. J. Ilm., vol. 10, no. 2, pp. 190–200, 2018.

A. M. Ibrahim, T. Defisa, and H. B. Seta, “Analisis Keamanan Sistem pada Website Perusahaan CV. Kazar Teknologi Indonesia dengan Metode Vulnerability Assesment and Penetration Testing (VAPT),” in Seminar Nasional Mahasiswa Ilmu Komputer dan Aplikasinya (SENAMIKA), 2022, no. April, pp. 312–325.

M. Alhamed and M. M. H. Rahman, “A Systematic Literature Review on Penetration Testing in Networks: Future Research Directions,” MDPI J. Appl. Sci., vol. 13, no. 12, 2023, doi: 10.3390/app13126986.

M. TanLi, Y. Zhang, Y. Wang, and Y. Jiang, “Grey-box technique of software integration testing based on message,” J. Phys. Conf. Ser., vol. 2025, no. 1, 2021, doi: 10.1088/1742-6596/2025/1/012096.

Y. Khera, D. Kumar, Sujay, and N. Garg, “Analysis and Impact of Vulnerability Assessment and Penetration Testing. 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon),” in 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon), 2019, pp. 525–530, doi: 10.1109/COMITCon.2019.8862224.

B. A. Chandrakant and J. P. Prakash, “Vulnerability Assessment and Penetration Testing As Cyber Defence,” Int. J. Eng. Appl. Sci. Technol., vol. 4, no. 2, pp. 72–76, 2019, doi: 10.1016/j.procs.2015.07.458.

M. Chawda, D. P. Sharma, and M. J. Patel, “Deep Dive into Directory Traversal and File Inclusion Attacks leads to Privilege Escalation,” Int. J. Sci. Res. Sci. Eng. Technol., vol. 4099, pp. 115–120, 2021.


Refbacks

  • There are currently no refbacks.


Copyright (c) 2024 Khairunnisak Isnaini, Muhammad Hasyim Asyari, Sigit Fathu Amrillah, Didit Suhartono

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.