Issue

Vol. 9, No. 4, November 2024

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Security Analysis of Web-based Academic Information System using OWASP Framework

https://doi.org/10.22219/kinetik.v9i4.2015
Rusydi Umar
Universitas Ahmad Dahlan
Imam Riadi
Universitas Ahmad Dahlan
Muhammad Ihya Aulia Elfatiha
Universitas Ahmad Dahlan

Corresponding Author(s) : Muhammad Ihya Aulia Elfatiha

elfatih2008048045@webmail.uad.ac.id

Kinetik: Game Technology, Information System, Computer Network, Computing, Electronics, and Control, Vol. 9, No. 4, November 2024

Abstract

The Academic Information System plays a crucial role in efficiently managing student, faculty, and campus administration data. However, system security needs to be a primary concern as it is vulnerable to cyber attacks. This research aims to analyze the security of the Academic Information System at the Muhammadiyah Business Institute Bekasi. The research method used is a comprehensive security analysis based on the OWASP framework. The study includes identifying potential vulnerabilities, penetration testing, and system improvement recommendations. Testing is conducted through simulated attacks based on the OWASP-released security risk list (OWASP Top Ten Most Critical Web Application Security Risks). The analysis results indicate that the system is vulnerable to Broken Authentication due to weak passwords, Sensitive Data Exposure due to URLs pointing to direct directories, and Security Misconfiguration due to open protocols. Furthermore, in CVSS scoring, Broken Authentication scored 4.8 (Medium), Sensitive Data Exposure and Security Misconfiguration scored 5.3 (Medium), Cross-Site Scripting scored 2.0 (Low) and Using Component with Known Vulnerabilities scored 2.0 (Low), while SQL Injection, XXE, Broken Access Control, Insecure Deserialization, and Insufficient Logging and Monitoring scored 0.0 (No Vulnerability). Recommendations for future system improvements include regularly updating the system to prevent new security vulnerabilities, better server configurations, and routine system monitoring to promptly anticipate suspicious activities.

Keywords

OWASP Academic Information System Penetration Testing Security Vulnerability
Rusydi Umar, Imam Riadi, & Elfatiha, M. I. A. (2024). Security Analysis of Web-based Academic Information System using OWASP Framework . Kinetik: Game Technology, Information System, Computer Network, Computing, Electronics, and Control, 9(4). https://doi.org/10.22219/kinetik.v9i4.2015
Download Citation
Endnote/Zotero/Mendeley (RIS)
BibTeX
References
  1. Mujiyono, “Jurnal Ilmiah Pendidikan Citra Bakti || 75,” J. Ilm. Pendidik. citra Bakti, vol. 6, no. 1, pp. 75–86, 2019.
  2. H. Muchsin, “Peluang dan Tantangan Perguruan Tinggi Menghadapi Revolusi Digital di Era Society 5.0,” Pros. Semin. Nas. Pendidik., pp. 350–355, 2021.
  3. B. Rajagukguk, “Paradigma baru dalam meningkatkan mutu pendidikan,” J. Tabularasa, vol. 6, no. 1, pp. 77–86, 2009.
  4. M. Suti, M. Z. Syahdi, and D. D., “Tata Kelola Perguruan Tinggi dalam Era Teknologi Informasi dan Digitalisasi,” JEMMA (Journal Econ. Manag. Accounting), vol. 3, no. 2, p. 203, 2020. https://doi.org/10.35914/jemma.v3i2.635
  5. M. Ratnasari, “Perencanaan Strategis Sistem Informasi/Teknologi Informasi Dalam Menghadapi Persaingan Pendidikan Tinggi Ilmu Komputer,” J. Darma Agung, vol. 30, no. 1, pp. 949–958, 2022.
  6. M. H. Murdani, M. U. Sari, and M. Muharom, “IT Productivity Paradox pada Perguruan Tinggi Swasta,” J. Ilm. Teknol. Inf. Asia, vol. 12, no. 2, p. 81, 2018. https://doi.org/10.32815/jitika.v12i2.216
  7. R. gilang jodi Putra, Paradoks Produktivitas Teknologi Investasi Sistem Aplikasi Crm ( Studi Kasus : Productivity Paradox of Information Technology : Investment Analysis of Crm Application System ( Case Study : Pt . Xyz ). 2015.
  8. Y. Darmawan and F. A. Wijaya, “Analisis Sistem Manajemen Keamanan Informasi Pada Perguruan Tinggi Menggunakan Iso 27001 : 2013,” Semin. Nas. Sist. Inf. Indones., no. November, pp. 6–7, 2017.
  9. F. P. Utama, R. Muhamad, and H. Nurhadi, “Uncovering the Risk of Academic Information System Vulnerability through PTES and OWASP Method,” CommIT J., vol. 18, no. 1, pp. 39–51, 2024. https://doi.org/10.21512/commit.v18i1.9384
  10. H. F. Tipton and M. Krause, Information security management handbook, vol. 2. 2008. https://doi.org/10.1201/9781420067101
  11. I. Riadi, A. Fadlil, and M. A. Mu’min, “OWASP Framework-based Network Forensics to Analyze the SQLi Attacks on Web Servers,” MATRIK J. Manajemen, Tek. Inform. dan Rekayasa Komput., vol. 22, no. 3, pp. 481–494, 2023. https://doi.org/10.30812/matrik.v22i3.3018
  12. A. Fadlil, I. Riadi, and M. A. Mu’Min, “Mitigation from SQL Injection Attacks on Web Server using Open Web Application Security Project Framework,” Int. J. Eng. Trans. A Basics, vol. 37, no. 4, pp. 635–645, 2024. https://doi.org/10.5829/ije.2024.37.04a.06
  13. I. F. Ashari, V. Oktarina, R. G. Sadewo, and S. Damanhuri, “Analysis of Cross Site Request Forgery (CSRF) Attacks on West Lampung Regency Websites Using OWASP ZAP Tools,” J. Sisfokom (Sistem Inf. dan Komputer), vol. 11, no. 2, pp. 276–281, 2022. https://doi.org/10.32736/sisfokom.v11i2.1393
  14. E. Keary, “OWASP - Open Web Application Security Project,” OWASP Found., no. Cc, p. 224, 2014,
  15. M. Yunus, “Analisis Kerentanan Aplikasi Berbasis Web Menggunakan Kombinasi Security Tools Project Berdasarkan Framework Owasp Versi 4,” J. Ilm. Inform. Komput., vol. 24, no. 1, pp. 37–48, 2019. http://dx.doi.org/10.35760/ik.2019.v24i1.1988
  16. OWASP, “2017 Top 10,” OWASP Found., p. 4, 2017.
  17. Y. Muhyidin, M. Hafid Totohendarto, E. Undamayanti, and S. Tinggi Teknologi Wastukancana, “Perbandingan Tingkat Keamanan Website Menggunakan Nmap Dan Nikto Dengan Metode Ethical Hacking Comparison of Website Security Levels Using Nmap and Nikto With Ethical Hacking Methods,” J. Teknol., pp. 1–10, 2020. https://doi.org/10.51132/teknologika.v12i1.143
  18. M. Marsoni, T. U. Kalsum, and A. Kurniawan, “Analisa Implementasi Teknik Reconnaissance Pada Webserver (Studi Kasus: Upt Puskom Universitas Dehasen),” J. Media Infotama, vol. 12, no. 1, pp. 11–20, 2016. https://doi.org/10.37676/jmi.v12i1.268
  19. G. Guntoro, L. Costaner, and M. Musfawati, “Analisis Keamanan Web Server Open Journal System (Ojs) Menggunakan Metode Issaf Dan Owasp (Studi Kasus Ojs Universitas Lancang Kuning),” JIPI (Jurnal Ilm. Penelit. dan Pembelajaran Inform., vol. 5, no. 1, p. 45, 2020. https://doi.org/10.29100/jipi.v5i1.1565
  20. https://dspace.uii.ac.id/bitstream/handle/123456789/11281/13523025-Adetya Putra D-laporan skripsi.pdf?sequence=1&isAllowed=y
  21. F. Fachri, “Optimasi Keamanan Web Server Terhadap Serangan Brute-Force Menggunakan Penetration Testing,” J. Teknol. Inf. dan Ilmu Komput., vol. 10, no. 1, pp. 51–58, 2023. https://doi.org/10.25126/jtiik.20231015872
  22. I. G. A. S. Sanjaya, G. M. A. Sasmita, and D. M. S. Arsa, “Evaluasi Keamanan Website Lembaga X Melalui Penetration Testing Menggunakan Framework ISSAF,” J. Ilm. Merpati (Menara Penelit. Akad. Teknol. Informasi), vol. 8, no. 2, p. 113, 2020. https://doi.org/10.24843/JIM.2020.v08.i02.p05
  23. I. Riadi, A. Yudhana, and Y. W, “Analisis Keamanan Website Open Journal System Menggunakan Metode Vulnerability Assessment,” J. Teknol. Inf. dan Ilmu Komput., vol. 7, no. 4, pp. 853–860, 2020. https://doi.org/10.25126/jtiik.2020701928
  24. G. Kusuma, “Implementasi Owasp Zap Untuk Pengujian Keamanan Sistem Informasi Akademik,” J. Teknol. Inf. J. Keilmuan dan Apl. Bid. Tek. Inform., vol. 16, no. 2, pp. 178–186, 2022. https://doi.org/10.47111/jti.v16i2.3995
  25. T. Syarif Revolino and D. Jatmiko Andri, “Analisis Perbandingan Metode Web Security PTES, ISSAF dan OWASP di Dinas Komunikasi Dan Informasi Kota Bandung,” Elibrai.unikom, p. 8, 2019.
  26. J. J. B. H. Yum Thurfah Afifa Rosaliah, “Pengujian Celah Keamanan Website Menggunakan Teknik Penetration Testing dan Metode OWASP TOP 10 pada Website SIM,” Senamika, vol. 2, no. September, pp. 752–761, 2021.
  27. FIRST, “Common Vulnerability Scoring System version 3.1 Specification Document Revision 1,” pp. 1–24, 2019.
Read More

Author Biographies

Rusydi Umar, Universitas Ahmad Dahlan

Master Program of Informatics, Universitas Ahmad Dahlan, Yogyakarta, Indonesia

Imam Riadi, Universitas Ahmad Dahlan

Department of Information System, Universitas Ahmad Dahlan, Yogyakarta, Indonesia

Download this PDF file
PDF
Statistic
Read Counter : 0 Download : 0

Downloads

Download data is not yet available.