Web Application Penetration Testing on Udayana University's OASE E-learning Platform Using Information System Security Assessment Framework (ISSAF) and Open Source Security Testing Methodology Manual (OSSTMM)

PDF (638KB), PP.45-56

Views: 0 Downloads: 0

Author(s)

I Gusti Agung Surya Pramana Wijaya 1,* Gusti Made Arya Sasmita 1 I Putu Agus Eka Pratama 1

1. Dept of Information Technology, Faculty of Engineering, Udayana University, Bali, Indonesia

* Corresponding author.

DOI: https://doi.org/10.5815/ijitcs.2024.02.04

Received: 31 May 2023 / Revised: 4 Jul. 2023 / Accepted: 17 Sep. 2023 / Published: 8 Apr. 2024

Index Terms

ISSAF, OSSTMM, RAV, STAR, Security Testing

Abstract

Education is a field that utilizes information technology to support academic and operational activities. One of the technologies widely used in the education sector is web-based applications. Web-based technologies are vulnerable to exploitation by attackers, which highlights the importance of ensuring strong security measures in web-based systems. As an educational organization, Udayana University utilizes a web-based application called OASE. OASE, being a web-based system, requires thorough security verification. Penetration testing is conducted to assess the security of OASE. This testing can be performed using the ISSAF and OSSTMM frameworks. The penetration testing based on the ISSAF framework consists of 9 steps, while the OSSTMM framework consists of 7 steps for assessment. The results of the OASE penetration testing revealed several system vulnerabilities. Throughout the ISSAF phases, only 4 vulnerabilities and 3 information-level vulnerabilities were identified in the final testing results of OASE. Recommendations for addressing these vulnerabilities are provided as follows. Implement a Web Application Firewall (WAF) to reduce the risk of common web attacks in the OASE web application. input and output validation to prevent the injection of malicious scripts addressing the stored XSS vulnerability. Update the server software regularly and directory permission checks to eliminate unnecessary information files and prevent unauthorized access. Configure a content security policy on the web server to ensure mitigation and prevent potential exploitation by attackers.

Cite This Paper

I Gusti Agung Surya Pramana Wijaya, Gusti Made Arya Sasmita, I Putu Agus Eka Pratama, "Web Application Penetration Testing on Udayana University's OASE E-learning Platform Using Information System Security Assessment Framework (ISSAF) and Open Source Security Testing Methodology Manual (OSSTMM)", International Journal of Information Technology and Computer Science(IJITCS), Vol.16, No.2, pp.45-56, 2024. DOI:10.5815/ijitcs.2024.02.04

Reference

[1]A. W. Wardhana dan H. B. Seta, “Analisis Keamanan Sistem Pembelajaran Online Menggunakan Metode ISSAF pada Website Universitas XYZ,” Jurnal Informatik, vol. 17, no. 3, hal. 226-237, 2021. DOI: 10.52958/iftk.v17i3.3653
[2]Y. I. Fernando dan R. Abdillah, “Security Testing Sistem Penerimaan Mahasiswa Baru Universitas XYZ Menggunakan Open Source Security Testing Methodology Manual (OSSTMM),” Jurnal CoreIT, hal. 33-40, 2016. DOI: 10.24014/coreit.v2i1.2354
[3]A. Rochman, R. R. Salam dan S. A. Maulana, “Analisis Keamanan Website Dengan Information System SecurityAssessment Framework (ISSAF) dan Open Web Application Security Project (OWASP) di Rumah Sakit XYZ,” Jurnal Indonesia Sosial Teknologi, vol. 2, no. 4. DOI: 10.59141/jist.v2i04.124 
[4]P. Herzog, “Open Source Security Testing Methodology Manual 3.0,” United States of America: ISECOM, 2010.
[5]M. Prandini dan M. Ramilli, “Towards a practical and effective security testing methodology,” The IEEE symposium on Computers and Communications, hal. 320-325, 2010. DOI: 10.1109/ISCC.2010.5546813
[6]D.P. Anggraeni, B.P. Zen, dan M. Pranata, “SECURITY ANALYSIS ON WEBSITES USING THE INFORMATION SYSTEM ASSESSMENT FRAMEWORK (ISSAF) AND OPEN WEB APPLICATION SECURITY VERSION 4 (OWASPv4) USING THE PENETRATION TESTING METHOD,” Vol 8. No. 3, hal. 497-506, 2022. DOI: 10.33172/jp.v8i3.1777
[7]M. Ayuningtyas dan P. F. Tanaem, “Information Technology Asset Security Risk Management at the Secretariat of the Salatiga City DPRD Using ISO 31000,” Jurnal Sistem Informasi dan Teknologi Informasi (J-SAKTI), vol. 9, no. 1, hal. 92-101, 2022. DOI: 10.1234/j-sakti.v9i1.1439
[8]I. Sanjaya, G. Sasmita, dan D. Arsa, “Evaluasi Keamanan Website Lembaga X Melalui Penetration Testing Menggunakan Framework ISSAF,” Jurnal Ilmiah Merpati (Menara Penelitian Akademika Teknologi Informasi), 2020. DOI: 10.24843/JIM.2020.v08.i02.p05
[9]Herman, et al. “Analisis Keamanan Website Menggunakan Information System Security Asessment Framework (ISSAF),” Jurnal Teknologi Informatika dan Komputer, vol. 9, no. 1, hal. 1-10, 2023. DOI: 10.1234/jtik.v9i1.1439
[10]M.R. Albrecht dan R.B. Jensen, “The Vacuity of the Open Source Security Testing Methodology Manual,” arXiv preprint, 2020. DOI: 10.48550/arXiv.2010.06377
[11]W. Agustiara, A. Pratama dan S. Junaidi, “Analisis Keamanan Protokol Secure Socket Layer Terhadap Serangan Packet Sniffing pada Website Portal Berita Harian Umum Koran Padang,” Jurnal Teknik Informatika Kaputama, vol. 6, no. 1, hal. 10-15, 2022.
[12]A. Ilmi, H. B. Seta, dan I. W. W. Pradnyana, “Evaluasi Risiko Celah Keamanan Menggunakan Metodologi Open-Source Security Testing Methodology Manual (OSSTMM) Pada Aplikasi Web Terbaru Fakultas Ilmu Komputer UPN Veteran Jakarta,” Informatik: Jurnal Ilmu Komputer, vol. 18, no. 2, 2022. DOI: 10.52958/iftk.v18i2.4672
[13]M.A. Nabila, P.E. Mas’udia, dan R. Saptono, “Analysis and Implementation of the ISSAF Framework on OSSTMM on Website Security Vulnerabilities Testing in Polinema,” Journal of Telecommunication Network (Jurnal Jaringan Telekomunikasi), vol. 13, no. 1, 2023. DOI: 10.33795/jartel.v13i1.511
[14]A. Yeboah-Ofori, “Cyber Intelligence and OSINT: Developing Mitigation Techniques Against Cybercrime Threats on Social Media,” International Journal of Cyber-Security and Digital Forensics, vol. 7, no. 1, hal. 87-98, 2017. DOI: 10.17781/P002378
[15]I Putu Agus Eka Pratama, Anak Agung Bagus Arya Wiradarma, "Open Source Intelligence Testing Using the OWASP Version 4 Framework at the Information Gathering Stage (Case Study: X Company)", International Journal of Computer Network and Information Security, Vol.11, No.7, pp.8-12, 2019.
[16]Muhammad Zunnurain Hussain, M. Z. H., & Muhammad Taimoor Aamer Chughtai, "Penetration Testing In System Administration", International Journal Of Scientific & Technology Research, Vol.6, No.06, 2017.