Security Testing of XYZ Website Application Using ISSAF and OWASP WSTG v4.2 Methods

Authors

  • Muhammad Firdaus Yusuf Cybersecurity Engineering, Politeknik Siber dan Sandi Negara, Bogor, West Java, Indonesia
  • Ira Rosianal Hikmah Cybersecurity Engineering, Politeknik Siber dan Sandi Negara, Bogor, West Java, Indonesia
  • Amiruddin Cybersecurity Engineering, Politeknik Siber dan Sandi Negara, Bogor, West Java, Indonesia
  • Septia Ulfa Sunaringtyas Cybersecurity Engineering, Politeknik Siber dan Sandi Negara, Bogor, West Java, Indonesia

DOI:

https://doi.org/10.34148/teknika.v14i1.1156

Keywords:

ISSAF, Penetration, Vulnerability, Website, WSTG V4.2

Abstract

The research focuses on improving the security of information systems in ABC City, specifically on the XYZ website application developed by the Communication and Informatics Office ABC to assist in governmental administration and manage various critical data. This study is motivated by the high incidence of cybersecurity threats in the governmental administration sector, as reported by Badan Siber dan Sandi Negara in November 2023. The primary objective of this research is to identify security vulnerabilities within the XYZ website application. The research employs the Information Systems Security Assessment Framework (ISSAF) as the primary security testing framework and the OWASP Web Security Testing Guide (WSTG) version 4.2 as the guide for the penetration testing phase, one of the stages in ISSAF for validating vulnerabilities. Validated vulnerabilities are further assessed for severity using the OWASP Risk Rating guidelines to estimate the risk and impact of potential attacks on the Communication and Informatics Office ABC. The research methodology uses a black-box testing approach. To ensure a structured approach, it provides security recommendations using the SMAACT method. This research includes a report on the identified vulnerabilities and recommendations that the Communication and Informatics Office ABC can implement to address these vulnerabilities. The findings of this study are expected to provide insights into existing security vulnerabilities within the website application and practical recommendations for improvement, benefiting both the practical context of enhancing information security at the Communication and Informatics Office ABC and the theoretical context as a reference for similar future research.

Downloads

Download data is not yet available.

References

[1] Kementerian Pendayagunaan Aparatur Negara dan Reformasi Birokrasi (PANRB), “Peraturan Presiden Nomor 95 Tahun 2018 tentang Sistem Pemerintahan Berbasis Elektronik,” Menteri Huk. Dan Hak Asasi Mns. Republik Indones., p. 110, 2018.

[2] Karman, R. Deswanto, and S. A. Ningsih, “Implementasi E-Government Pada Pemerintah Daerah,” J. Stud. Ilmu Pemerintahan(JSIP), vol. 2, no. 2, pp. 43–50, Aug. 2021, doi: 10.35326/jsip.v2i2.1525.

[3] O. T. Hutajulu, G. Argenti, and M. F. Rizki, “Implementasi Konsep Kebijakan Smart City Terhadap Efektivitas Mall Pelayanan Publik DKI Jakarta,” J. Pendidik. dan Konseling, vol. 5, no. 1, pp. 5869–5879, 2023.

[4] Setiawan, F. Samopa, I. A. Akbar, N. A. Sani, B. C. Hidayanto, and Y. S. Dharmawan, “Pendampingan Analisis Vulnerability dan Hardening pada Website Pemerintah Kota Surabaya,” Sewagati, vol. 7, no. 6, pp. 897–906, 2023, doi: 10.12962/j26139960.v7i6.624.

[5] A. H. Harahap, D. C. Andani, A. Christie, D. Nurhaliza, and A. Fauzi, “Pentingnya Peranan CIA Triad Dalam Keamanan Informasi dan Data Untuk Pemangku Kepentingan atau Stakholder,” J. Manaj. dan Pemasar. Digit., vol. 1, no. 2, pp. 73–83, Apr. 2023.

[6] A. Mutedi and B. Tjahjono, “Systematic Literature Review: Preventing SQL Injection Attacks Using Tools OWASP CSR Web Application Firewall,” J. Inform. Univ. Pamulang, vol. 7, no. 1, pp. 151–156, 2022, doi: 10.32493/informatika.v7i1.17590.

[7] P. Simarmata, N. F. Saragih, and I. K. Jaya, “Deteksi Serangan DDOS Pada VPS Menggunakan Metode Deep Neural Network,” Methotika J. Ilm. Tek. Inform., vol. 3, no. 1, pp. 1–12, Apr. 2023, [Online]. Available:https://ejurnal.methodist.ac.id/index.php/methotika/article/view/2107

[8] Badan Siber dan Sandi Negara, “Laporan Bulanan Publik Agustus 2023,” no. November, 2023, [Online]. Available: https://www.bssn.go.id/wp-content/uploads/2024/03/Lanskap-Keamanan-Siber-Indonesia-2023.pdf

[9] M. Alghawazi, D. Alghazzawi, and S. Alarifi, “Detection of SQL Injection Attack Using Machine Learning Techniques: A Systematic Literature Review,” J. Cybersecurity Priv., vol. 2, pp. 764–777, 2022, doi: 10.3390/jcp2040039.

[10] A. S. Syahab, “Analisis Audit Keamanan Informasi Website Dari Drown Attack Menggunakan Network Mapper Dan Qualys SSL,” J. Manaj. Inform. Sist. Inf., vol. 6, no. 1, pp. 39–47, Jan. 2023, doi: 10.36595/misi.v5i2.

[11] OISSG, “Information Systems Security Assessment Framework (ISSAF),” Open Inf. Syst. Secur. Gr., pp. 1–845, 2006, [Online]. Available: https://kr-labs.com.ua/books/oissg-pentest.pdf

[12] R. Umar, I. Riadi, and M. I. A. Elfatiha, “Analisis Keamanan Sistem Informasi Akademik Berbasis Web Menggunakan Framework ISSAF,” Jutisi J. Ilm. Tek. Inform. dan Sist. Inf., vol. 12, no. 1, pp. 280–292, Apr. 2023.

[13] I. G. A. S. Sanjaya, G. M. A. Sasmita, and D. M. S. Arsa, “Evaluasi Keamanan Website Lembaga X Melalui Penetration Testing Menggunakan Framework ISSAF,” J. Ilm. Merpati , vol. 8, no. 2, pp. 113–124, 2020, doi: 10.24843/jim.2020.v08.i02.p05.

[14] Guntoro, L. Costaner, and Musfawati, “Analisis Keamanan Web Server Open Journal System (OJS) Menggunakan Metode ISSAF Dan OWASP (Studi Kasus OJS Universitas Lancang Kuning),” JIPI (Jurnal Ilm. Penelit. dan Pembelajaran Inform., vol. 5, no. 1, pp. 45–55, Jun. 2020, doi: 10.29100/jipi.v5i1.1565.

[15] F. M. H. Falcón, M. D. L. Arévalo, G. S. Atuncar, and I. C. Sanchez, “Comparative Study of Computer Security Methodologies for Countering Cyber Attacks,” Res Mil., vol. 13, no. 3, pp. 448–457, 2023.

[16] M. Albahar, D. Alansari, and A. Jurcut, “An Empirical Comparison of Pen-Testing Tools for Detecting Web App Vulnerabilities,” Electron., vol. 11, no. 19, pp. 1–25, 2022, doi: 10.3390/electronics11192991.

[17] H. Poston, “Mapping The OWASP Top Ten To Blockchain,” Procedia Comput. Sci., vol. 177, pp. 613–617, 2020, doi: 10.1016/j.procs.2020.10.087.

[18] D. S. Irawan, “Pengujian Keamanan Sistem Informasi Berbasis Web Berdasarkan Dokumen Owasp Wstg v4. 2 (Studi Kasus: Sistem Informatics Expo Universitas Islam Indonesia),” Univ. Islam Indones., 2022, [Online]. Available: https://dspace.uii.ac.id/handle/123456789/40200

[19] A. I. Rafeli, H. B. Seta, and I. W. Widi, “Pengujian Celah Keamanan Menggunakan Metode OWASP Web Security Testing Guide (WSTG) pada Website XYZ,” IFTKJurnal Inform., vol. 18, no. 2, pp. 97–103, 2022, doi: 10.52958/iftk.v18i2.4632.

[20] M. K. Abdan, “Pengujian Keamanan Sistem Informasi Berbasis Web Berdasarkan Framework OWASP WSTG v4.2 (Studi Kasus: Sistem Sekawan v1 Universitas Islam Indonesia),” Univ. Islam Indones., pp. 1–95, 2022, [Online]. Available: https://dspace.uii.ac.id/handle/123456789/40200

[21] OWASP, “OWASP Risk Rating Methodology.” https://owasp.org/www-community/OWASP_Risk_Rating_Methodology

[22] A. Suvaryan and A. Karapetyan, “Developing Organizational Goals In View Of SMAACT Goals Model Criteria,” E3S Web Conf., vol. 403, pp. 1–7, 2023, doi: 10.1051/e3sconf/202340308019.

[23] M. Albarka Umar, “A Study of Software Testing: Categories, Levels, Techniques, and Types Comprehensive Study of Software Testing: Categories, Levels, Techniques, and Types,” vol. 5, no. 6, pp. 32–40, 2023, [Online]. Available: https://doi.org/10.36227/techrxiv.12578714.v2

[24] M. A. Nabila, P. E. Mas’udia, and R. Saptono, “Analysis And Implementation Of The ISSAF Framework On OSSTMM On Website Security Vulnerabilities Testing In Polinema,” J. Telecommun. Netw. , vol. 13, no. 1, 2023, doi: 10.33795/jartel.v13i1.511.

[25] A. Almaarif and M. Lubis, “Vulnerability Assessment and Penetration Testing (VAPT) Framework: Case Study of Government’s Website,” Int. J. Adv. Sci. Eng. Inf. Technol., vol. 10, no. 5, pp. 1874–1880, 2020, doi: 10.18517/ijaseit.10.5.8862.

[26] I. G. A. S. Sanjaya, G. M. A. Sasmita, and D. M. S. Arsa, “Information Technology Risk Management Using ISO 31000 Based On ISSAF Framework Penetration Testing (Case study: Election Commission Of X City),” Int. J. Comput. Netw. Inf. Secur., vol. 12, no. 4, pp. 30–40, 2020, doi: 10.5815/ijcnis.2020.04.03.

[27] E. P. Silmina, A. Firdonsyah, and R. A. A. Amanda, “Analisis Keamanan Jaringan Sistem Informasi Sekolah Menggunakan Penetration Test Dan ISSAF,” Transmisi, vol. 24, no. 3, pp. 83–91, 2022, doi: 10.14710/transmisi.24.3.83-91.

[28] Fathurrachman, “Pengujian Kerentanan Log4Shell Pada Website E-Commerce Menggunakan Metode Vulnerability Assessment and Penetration Testing (VAPT) Life Cycle,” 2023. [Online]. Available: https://repository.uinjkt.ac.id/dspace/bitstream/123456789/71211/1/FATHURRACHMAN-FST.pdf

[29] A. W. Wardhana and H. B. Seta, “Analisis Keamanan Sistem Pembelajaran Online Menggunakan Metode ISSAF pada Website Universitas XYZ,” Inform. J. Ilmu Komput., vol. 17, no. 3, p. 226, 2021, doi: 10.52958/iftk.v17i3.3653.

[30] M. A. Rabby and M. Sultana, “An Overview Of Metasploit Framework Supervisor,” 2015.

[31] E. Saad and R. Mitchell, “OWASP Web Security Testing Guide v4-2,” OWASP Found., p. 465, 2020.

Security Testing of XYZ Website Application Using ISSAF and OWASP WSTG v4.2 Methods

Downloads

Published

2025-03-03

Issue

Vol. 14 No. 1 (2025): March 2025

Section

Articles

License

Copyright (c) 2025 Teknika

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

How to Cite

Security Testing of XYZ Website Application Using ISSAF and OWASP WSTG v4.2 Methods. (2025). Teknika, 14(1), 66-77. https://doi.org/10.34148/teknika.v14i1.1156