Vulnerability Analysis of Indonesian Ecommerce Website

学校代码：研究生学号： 1201590108
中国地质大学
硕士学位论文
印度尼西亚电子商务网站的脆弱性分析
姓名： Dona Pramana Pura

专业学位类型：专业型
指导教师：颜雪松
邹华清
培养单位：计算机学院
二○一九年三月
A Dissertation Submitted to China University of Geosciences
For the Master Degree of Computer Science
VULNERABILITY ANALYSIS OF
INDONESIAN ECOMMERCE WEBSITE
Master Candidate： Dona Pramana Pura

Major： Computer Science
Supervisor：颜雪松
邹华清
China University of Geosciences

Wuhan 430074 P.R. China
中国地质大学（武汉）研究生学位论文原创性声明
本人郑重声明：本人所呈交的硕士学位论文《 VULNERABILITY
ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE》，是本人在导师的
指导下，在中国地质大学（武汉）攻读硕士学位期间独立进行研究
工作所取得的成果。论文中除已注明部分外不包含他人已发表或撰
写过的研究成果，对论文的完成提供过帮助的有关人员已在文中说
明并致以谢意。
本人所呈交的硕士学位论文没有违反学术道德和学术规范，没
有侵权行为，并愿意承担由此而产生的法律责任和法律后果。
学位论文作者签名：
Dona Pramana Pura
日期： 2019 年 5 月 2 日
中国地质大学（武汉）研究生学位论文导师承诺书
本人郑重承诺：本人所指导的硕士学位论文《 VULNERABILITY
ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE》，是在本人的指导
下，研究生在中国地质大学（武汉）攻读硕士学位期间独立进行研
究工作所取得的成果，论文由研究生独立完成。
研究生所呈交的硕士学位论文没有违反学术道德和学术规范，没
有侵权行为，并愿意承担由此而产生的与导师相关的责任和后果。
指导教师（签字）：
日期：2019 年月日
中国地质大学（武汉）研究生学位论文导师承诺书
本人郑重承诺：本人所指导的硕士学位论文《 VULNERABILITY
ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE》，是在本人的指导
下，研究生在中国地质大学（武汉）攻读硕士学位期间独立进行研
究工作所取得的成果，论文由研究生独立完成。
研究生所呈交的硕士学位论文没有违反学术道德和学术规范，没
有侵权行为，并愿意承担由此而产生的与导师相关的责任和后果。
指导教师（签字）：
日期：2019 年月日
中国地质大学（武汉）学位论文使用授权书
本人授权中国地质大学（武汉）可采用影印、缩印、数字化或
其它复制手段保存本学位论文；学校可向国家有关部门或机构送交
本学位论文的电子版全文，编入有关数据库进行检索、下载及文献
传递服务；同意在校园网内提供全文浏览和下载服务。
涉密论文解密后适用于本授权书。
学位论文作者签名：
日期：2019 年 5 月 22 日
ABSTRACT
Over the past few decades, the number of internet user has been increasing
significantly. In 2018, there are now more than 4 billion people around the world
connecting to the internet. Along with it, the ecommerce website is also experiencing
rapid development in the current era of digital technology, including in Indonesia.
Important data owned by the ecommerce website makes website vulnerability is a
serious threat to those websites. A large number of financial transaction data and
personal user data is the reason why the ecommerce website is one website that is
often targeted for hacking.
There are several research related to vulnerability analysis of a website. Most
of those research focused on the implementation and methods for finding security
holes on a website. It is still very difficult to find research related to the discover the
vulnerability on ecommerce websites in Indonesia. This encourages the writer to do
research related to this.
In this thesis, a test was conducted to find out the potential vulnerability in ten
biggest ecommerce website in Indonesia based on the Open Web Application
Security Project (OWASP) standard. Open Web Application Security Project
(OWASP) is a worldwide free, open community focused on enlightening the security
of software (application) and also Non-Profit Charitable Organization with the
mission to make software security visible to persons and organizations to brand
informed choices about their software security risks. Action research and penetration
testing methods are chosen to find the potential vulnerability of each website. This
research is also conducted to find the level of risk and recommend solutions to
improve the security problem.
In this study, various kinds of potential security problem were found on each
website. There are 15 types of potential vulnerability found, but none of them has a
high level of risk. Cross-Domain JavaScript Source Files Inclusion is the most
common security problem in the ten websites. Whereas Session ID in URL Rewrite,
Secure Page Include Mixed Content, X-Frame-Options Settings Malforms are the
least found security problem. At the end of the research, the writer recommends a
solution to fix the security problem. Thus, the paper contributes to the understanding
of web security risk in the Indonesian ecommerce websites.
Keyword: ecommerce, web vulnerability, OWASP

摘要
在过去的几十年里，互联网用户的数量显著增加。2018 年，全球有超过
40 亿人接入互联网。与此同时，电子商务网站也在当前的数字技术时代得到了
快速发展，包括在印度尼西亚。电子商务网站所拥有的重要数据使网站的脆弱
性成为这些网站的严重威胁。大量的金融交易数据和个人用户数据是电子商务
网站成为黑客攻击目标的原因。
有几个研究与网站的脆弱性分析有关。这些研究大多集中于在网站上寻
找安全漏洞的实现和方法。在印度尼西亚发现电子商务网站的脆弱性仍然是一
个非常困难的研究课题。这鼓励作者做与此相关的研究。
本文基于 Open Web Application Security Project（OWASP）标准，对印
度尼西亚十大电子商务网站的潜在漏洞进行了测试。Open Web Application
Security Project（OWASP）是一个全球性的免费开放社区，致力于提高软件
（应用程序）的安全性，同时也是一个非营利慈善组织，其使命是让个人和组
织能够看到软件安全性，并对其软件安全风险做出明智的选择。选择行动研究
和渗透测试方法来发现每个网站的潜在漏洞。本研究也旨在找出风险水平，并
提出改善安全问题的解决方案。
在这项研究中，每个网站上都发现了各种潜在的安全问题。发现了 15 种
潜在的脆弱性，但都没有高风险。跨域 javascript 源文件包含是十个网站中最常
见的安全问题。虽然 URL 重写中的会话 ID、安全页包含混合内容，但 X-

frame-options 设置格式错误是发现最少的安全问题。在研究的最后，作者提出
了解决安全问题的方案。因此，本文有助于理解印尼电子商务网站的网络安全
风险。
关键词：电子商务、网站漏洞、owasp
CONTENS
TABLE OF CONTENS .............................................................................................. I

LIST OF FIGURES .................................................................................................... III
LIST OF TABLES ...................................................................................................... V
CHAPTER 1 INTRODUCTION ................................................................................ 1
1.1 Background ..................................................................................................... 1
1.2 Problem Statement .......................................................................................... 7
1.3 Research Scope ............................................................................................... 7
1.4 Research Method and Approach ..................................................................... 7
1.5 Organization of Thesis.................................................................................... 10
CHAPTER 2 LIERATUR REVIEW .......................................................................... 12
2.1 Web Vulnerability .......................................................................................... 12
2.1.1 Introduction............................................................................................ 12
2.1.2 Vulnerability Assessment Tools ............................................................ 13
2.1.3 Web Vulnerability Attack Threats ......................................................... 15
a. Injection ........................................................................................... 16
b. Cross-Site Scripting (Xss) ............................................................. 17
c. Broken Authentication And Session Management ........................ 18
d. Insecure Direct Object References ................................................ 19
e. Cross-Site Request Forgery (Csrf) ................................................. 19
f. Security Misconfiguration ............................................................. 20
g. Insecure Cryptographic Storage .................................................... 20
h. Failure to Restrict Url Access ........................................................ 21
i. Insufficient Transport Layer Protection .......................................... 21
j. Un-Validated Redirect and Forward ............................................... 21
2.1.4 Web Application Vulnerability Scanners .............................................. 22
2.2 Indonesian Ecommerce Website..................................................................... 27
2.2.1 Growth of Indonesian Ecommerce Website ................................................ 27
2.2.2 Top Ten Indonesian Ecommerce Website ................................................... 28
I
2.3 RELATED WORK ......................................................................................... 47
CHAPTER 3 PENETRATION TESTING ................................................................. 50
3.1 Penetration Testing ......................................................................................... 50
3.1.1 Definition ............................................................................................... 50
3.1.2 Objective ................................................................................................ 50
3.1.3 Testing Needs and Benefits ................................................................... 50
3.1.4 Testing Frequency ................................................................................. 51
3.1.5 Process of Penetration Testing............................................................... 52
3.2 OWASP ZAP .................................................................................................. 53
3.2.1 Introduction............................................................................................ 53
3.2.2 Zap Features........................................................................................... 54
3.2.3 Finding Issues ........................................................................................ 57
CHAPTER 4 RESULT ............................................................................................... 66
4.1 Testing Result ................................................................................................. 66
4.2 Vulnerability Analysis .................................................................................... 76
4.2.1 Vulnerability Mapping and Comparation .............................................. 76
4.2.2 Vulnerability Description and Recommendation Solution .................... 80
CHAPTER 5 CONCLUSION AND FURTHER WORK .......................................... 86
5.1 Conclusion ...................................................................................................... 86
5.2 Further Work .................................................................................................. 87
REFERENCES ........................................................................................................... 88
II
LIST OF FIGURES
Figure 1.1 Internet users per 100 inhabitants ............................................................. 1

Figure 1.2 Internet user growth based on country in 2017 ......................................... 2
Figure 1.3 Number of attacks per sector ..................................................................... 3
Figure 1.4 Website target based on country ............................................................... 4
Figure 1.5 The wave of hacks on 27th of February 2018 .......................................... 5
Figure 1.6 Action research methodology diagram ..................................................... 8
Figure 1.7 Penetration testing diagram ....................................................................... 9
Figure 2.1 Flowchart of SQL injection ....................................................................... 16
Figure 2.2 Cross Site Scripting (XSS) process ........................................................... 18
Figure 2.3 CSRF Scheme ........................................................................................... 20
Figure 2.4 Homepage of Lazada.com. ........................................................................ 29
Figure 2.5 Homepage of mataharimall.com. .............................................................. 31
Figure 2.6 Homepage of Blibli.com ........................................................................... 32
Figure 2.7 Homepage of Zalora.com. ......................................................................... 34
Figure 2.8 Homepage of JD.id.................................................................................... 35
Figure 2.9 Homepage of tokopedia.com .................................................................... 38
Figure 2.10 Homepage of elevania.com ..................................................................... 40
Figure 2.11 Homepage of shopee.com ....................................................................... 41
Figure 2.12 Homepage of bukalapak.com .................................................................. 45
Figure 2.13 Homepage of qoo10.com ........................................................................ 46
Figure 3.1 Flowchart of penetration testing ................................................................ 52
Figure 3.2 OWASP ZAP layout. ............................................................................... 54
Figure 3.3 Diagram of how ZAP works ..................................................................... 57
Figure 3.4 Default startup dialog of OWASP ZAP .................................................... 58
Figure 3.5 SSL certificate in OWASP ZAP .............................................................. 59
Figure 3.6 Setting of spider parameter in ZAP OWASP ............................................ 60
Figure 3.7 Setting of AJAX Spider in OWASP ZAP ................................................. 61
Figure 3.8 Setting of Active scan in OWASP ZAP .................................................... 61
III
Figure 3.9 Setting of passive scan in OWASP ZAP ................................................... 62
Figure 3.10 Attack he website using spider feature .................................................... 63
Figure 3.11 Active scan in OWASP ZAP .................................................................. 63
Figure 3.12 Fuzz feature in OWASP ZAP ................................................................. 64
Figure 4.1 Chart of vulnerabilities rank based on testing result. ................................ 78
Figure 4.2 Chart of total number vulnerability found on each website ...................... 80
IV
LIST OF TABLES
Table 4.1 Number of vulnerability alert and risk level found in Lazada.co.id ........... 66
Table 4.2 Number of each vulnerability types of lazada.co.id ................................... 66
Table 4.3 Number of vulnerability alert and risk level found in mataharimall.com .. 67
Table 4.4 Number of each vulnerability types of mataharimall.com ......................... 67
Table 4.5 Number of vulnerability alert and risk level found in blibli.com ............... 68
Table 4.6 Number of each vulnerability types of blibli.com ...................................... 68
Table 4.7 Number of vulnerability alert and risk level found in zalora.com .............. 69
Table 4.8 Number of each vulnerability types of zalora.com..................................... 70
Table 4.9 Number of vulnerability alert and risk level found in jd.id ........................ 70
Table 4.10 Number of each vulnerability types of jd.id ............................................. 71
Table 4.11 Number of vulnerability alert and risk level found in mataharimall.com 71
Table 4.12 Number of each vulnerability types of tokopedia.com............................. 72
Table 4.13 Number of vulnerability alert and risk level found in elevania.com ........ 72
Table 4.14 Number of each vulnerability types of elevania.com ............................... 73
Table 4.15 Number of vulnerability alert and risk level found in shopee.com .......... 73
Table 4.16 Number of each vulnerability types of shopee.com ................................. 74
Table 4.17 Number of vulnerability alert and risk level found in bukalapak.com ..... 74
Table 4.18 Number of each vulnerability types of bukalapak.com ............................ 75
Table 4.19 Number of vulnerability alert and risk level found in qoo10.com ........... 75
Table 4.20 Number of each vulnerability types of qoo10.com .................................. 76
Table 4.21 Rank of vulnerability found in all website ............................................... 76
Table 4.22 Number of vulnerability type found on each website .............................. 79
Table 4.23 Number of each vulnerability type found on each website ...................... 79
V
CHINA UNIVERSITY OF GEOSCIENCE 1
CHAPTER 1
INTRODUCTION
1.1 Background
Over the past few decades, information technology has made a big leap. If we
see the scenario of past 10 years, information technology has been gradually making a
significant positive impact on human life. The Internet and web applications are one
of the most rapidly developed sector of information technology.
The new 2018 Global Digital Suite of reports reveals that there are now more
than 4 billion people around the world using the internet [1]. Over half of the world’s
population is now online, with the latest data showing that nearly a quarter of a billion
new users came online for the first time in 2017. Much of this year’s growth in
internet users has been driven by more affordable smartphones and mobile data plans.
Because the bandwidth costs are significantly getting lower, and developments of
new technologies are continuously growing over the years, Internet services are
widely accessible around the globe and so is the use of Internet services[1-3]. The
chart presented below (figure 1.1) shows that the global Internet users in 2000 were
just around 7 percent of human population, which has been increased to around 48
percent in 2018.
Figure 1.1 Internet users per 100 inhabitants

2 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
As seen from the figure 1.2, internet users in Indonesia grew 51 percent within
a year. This figure is the largest in the world, far exceeding even the global average
growth of only 10 percent. In the second and third positions are the Philippines and
Mexico, both of which have growth rates of 27 percent [1]. Internet user growth
based on country in 2017 can be seen in figure 2.
Figure 1.2 Internet user growth based on country in 2017

Websites and web application provide a new kind of information system with
common framework based internet that allows users gathered information remotely
among different departments information system. Basic websites also usually used for
marketing, contact information, document download, and so on. According to Mike
Shema[13], Web application used simple architecture, which the Internet or intranet
which connecting the user and application, the hosting of the application is in a
browser-controlled environment, the browser for user execution of the application is
an endpoint device and has a creation of the application with browser-rendered
markup language such hypertext markup language (HTML). Each time the browser
was launched and connected to the website, the user used more than one web
application. As the result, users can run the web application from a netbook, a laptop,
tablet, or smartphone.
Since ecommerce has grown significantly, there has been an exponential
increase in online transactions in the past few years. US online retail sales grew 12.6%
in 2010 to reach $176.2 billion. Seven years later in 2017, retail ecommerce sales
worldwide amounted to 2.3 trillion US dollars and e-retail revenues are projected to
grow to 4.88 trillion US dollars in 2021[4].
According to Positive Technology [5], Ecommerce sites, characterized by an
abundance of web applications, saw the second-highest average number of attacks in
the sample day analyzed. This sector handles large volumes of sensitive consumer
data, such as personal and financial information. The most popular attack vector in
this sector, too, is Path Traversal, which potentially gives attackers access to file
system directories. Denial of Service (DoS) attacks also constitute a significant
portion of attacks (14%), a method that can render web applications inaccessible in a
sector in which uptime is critical.
Figure 1.3 Number of attacks per sector

Research about finding vulnerability of a website has been done by several
researchers. But most of the websites used as research objects are websites of
institutions / organizations or governments. The reason of that is because the
government website is one of the biggest hacking targets every year. However, As
seen from the figure 1.3, ecommerce’s website is also the second biggest target of
hacker attacks.
The selection of the Indonesia ecommerce website as the object of research is
also based on the large number of internet users and also the large number of hacker
attacks on sites in this country. As seen from the figure 1.4, when we dive into the
data and talk about different countries the most targeted ones in February 2018 were
the sites hosted in the United States with 18.729 hacks in total. Indonesia and South
Africa follow with 4679 and 4441 websites.
Figure 1.4 Website target based on country

Because of the rapid growth of internet user and ecommerce website, many
‘Bad Guys’ provoked to play around with it. However, the criminal hackers refer to
the website that has complex application and databases full of sensitive information,
such as social security numbers, credit cards, and so on. The web application can be
vulnerable because of poor software development, testing process and a lack of
maintenance. This also some side effect from too relying on software compilers to
perform error checking, waning user demand for higher quality software and
emphasizing time to market instead of security and quality.
The data that web applications handle, such as credit card numbers and
shopping activity information, typically is of considerable value to the users and the
service providers. In order to be sustainable, web applications should protect the

user’s data from unauthorized access, use, disclosure, disruption, modification,
perusal, inspection, and recording or destruction. However, often, it fails to satisfy
these requirements. The root cause of most security risks on the Web is based on
vulnerabilities in web applications [6], [7].
According to National Vulnerability Database (NVD)[7], the number of
vulnerabilities has lessened since 2009, which means that security measures have
been implemented over the last few years. As shown in figure 1.5, in 2008 the
number of vulnerabilities reported by NVD was 5,632; in 2009, the number of
vulnerabilities increased to 5,733. However, starting from 2010, NVD reported the
decrease of vulnerabilities on the Web: 4,639 in 2010 and 4,151 in 2011.
Nevertheless, the likelihood that at least one vulnerability will appear in a website
remains very high. During 2010, almost every website was exposed, daily, to at least
one highly, critically, or urgently severe vulnerability and 64% of these were exposed
to at least one Information Leakage vulnerability. This has led to a need for
developers to increase their attention to web application security. WebARX shows the
data of the biggest wave of website hacks in February 2018 where hundreds of
WordPress and Joomla sites were infected with ionCube Malware [8].
Figure 1.5 The wave of hacks on 27th of February 2018

One of an important factor in a web application is compliance. Compliance

refers to a whole standardization about IT risk management and security management,
which recognized nationally and internationally. There are many security audit
standards in ICT such as COBIT (Control Objective for Information Security Officer
and Related Technology), ISO (International Organization for Standardization),
Cloud Security Alliance, or ITIL (Information Technology Infrastructure Library).
However, this research will use Open Web Application Security Project
(OWASP) standard. The Open Web Application Security Project (OWASP) is a
worldwide free, open community focused on enlightening the security of software
(application) and also Non Profit Charitable Organization with the mission to make
software security visible to persons and organizations to brand informed choices
about their software security risks [9].
TOP 10 OWASP is a security project funded by OWASP. The list of current
top 10 web application security risks project was published worldwide. The list
explains the threatagents, attack vectors, security weakness,technical impacts and
business impacts with arelevant example and how to prevent it. However, every three
years, OWASP releases areport on the ten most critical web applicationsecurity risks.
The most recent version of the top10 list was published last in June 2013.
OWASPprioritized the top 10 according to theirexploitability, prevalence common,
detectability,and impact severe [9-10]. The OWASP Top Tenprovides a powerful
awareness document forweb application security and it also represents abroad
consensus about what the most criticalweb application security flaws are.Furthermore,
Management of security riskprovides means to cope the rising threats
toorganizational infrastructures. Management ofvulnerability is vital for mitigation of
critical security risks [11-12].
The result of vulnerability assessment will be a guideline for the design of
web application security system in the organization. The security system will be
included an information security policy and web application security design. In the
end we can find out which vulnerability problem occur on top ten Indonesian
ecommerce website and find out the solution best on OWASP standard to solve it.
1.2 Problem Statement

The research problem of this research is to evaluate the web security of top ten
Indonesian ecommerce websites and find the potential vulnerabilities and
recommendation solution based on OWASP Application Security Verification
Standard.
1.2 Research Scope
The scope of this research are:
a. Data collected from ten ecommerce websites in Indonesia. Those ten websites
are : Lazada.co.id, Mataharimall.com, Blibli.com, Zalora.co.id, Jd.co.id,
Tokopedia.com, Elevenia.com, Shopee.com, Bukalapak.com, and Qoo10.com.
b. Used Zed Attack Proxy which is used for Vulnerability Scanning.
c. The implementation conducted without access to the core system (server
configuration).
d. Analyze vulnerability in those ecommerce websites based on OWASP
standard.
e. The recommendations for vulnerabilities that were found in those websites.
The benefit of this research is to determine the vulnerabilities and technical
solution based on OWASP Application Security Verification Standard for ecommerce
website Indonesia. Giving a comprehensive information to the stakeholder for fixing
their ecommerce website’s security.
1.3 Research Method And Approach
The method used in this research is based on action research and penetration
testing. Action Research-based was chosen because in this study directly focused on
the object of research that is evaluating vulnerabilities on the Indonesian ecommerce
website. The steps taken are as follows (figure 1.6):
a. Diagnosing
b. Conduct action planning
c. Taking action
d. Evaluating
e. Specifyinglearning from research results
Diagnosing
Conduct action planning
Taking action
Evaluating
Specifyinglearning
Figure 1.6 Action research methodology diagram

Researchers diagnose the security holes on website by using penetration-testing
techniques, which consist of stages: 1) planning, 2) discovery, and 3) attack. Next, the
researcher will analyze the results of the diagnosis and find the solution for those
vulnerabilities problem.[13]
The Process or steps are all the activities that are involved from the beginning
to the end of Penetration Testing (figure 1.7). The following are a brief description of
steps involved in the testing. Determine the immediate goal of the test, for example to
breach a personal information database.
a. Collect information about the way to get to the target, for example to the
database.
b. Discover or identify the entry points to the network, for example performing
port scanning.
c. Start exploitation of vulnerabilities using different techniques, for example
brute forcing or phishing.
d. Take control of the application, for example doing things, which are not
allowed to do.
e. Evidence collecting, for example evidence collection of things done while
taking control of the app.
f. Reporting, it involves writing a report about everything from the beginning to
the end of testing.
g. Suggesting remedies for the vulnerabilities found while testing.
Collect
information
Discover or identify the

entry points to the
network
Start exploitation of
vulnerabilities
Take control of the

application
Evidence
collecting
Reporting
Suggesting remedies
for the vulnerabilities
Figure 1.7 Penetration testing diagram

In the step of exploring websit vulnerabilities, researcher uses OWASP ZAP.
The OWASP Zed Attack Proxy is a Java-based tool that comes with an intuitive
graphical interface, allowing web application security testers to perform fuzzing,
scripting, spidering, and proxying in order to attack web apps. Being a Java tool
means that it can be made to run on most operating systems that support Java. ZAP
can be found by default within the Kali Linux Penetration Testing Operating System,
or it can be download from here and run on OSs that have Java installed. The
OWASP ZAP proxy borrows heavily in GUI appearance from the Paros Proxy
Lightweight Web Application security testing tool. Kindly see this article for a
detailed look at the Paros Proxy tool.
The OWASP Zed doing penetrating generally follows following stages:
a. Explore
In this stage, the tester tries to learn about the system that is being tested.
This includes determining the endpoints of the system, what patches are
installed in the system. Often also includes exploring the site for hidden
contents and possible known vulnerabilities.
b. Attack
In this stage, the tester attempts to actually exploit the known
vulnerabilities to prove that they are actually exists in the system.
c. Report
In this stage, the tester makes report of the results of his testing which
includes the vulnerabilities found along with how they are exploited. In
addition, it includes how difficult it is to exploit those vulnerabilities and
the severity of that exploitation.
1.4 Organization Of Thesis
In this thesis, the list of potential vulnerabilities of top ten Indonesian
ecommerce website presented in OWASP Top Ten report is reviewed.
This thesis is organized in the following chapters:
Chapter 1 Introduction
Consist of background problem, problem statement, research scope, research method
and approach, and thesis organization.
Chapter 2 Literature review
Explain about web vulnerability, how vulnerability assessment tools work, web
vulnerability attack threats, and web application vulnerability scanners, the growth of
Indonesian ecommerce website and top ten Indonesian ecommerce website. This
chapter also explain about Explain about previous research that related with this
research.
Chapter 3 Penetration Testing
Consist of the definition and objective of penetration testing, testing needs and
benefits, testing frequency, process of penetration testing, Explain about zap, zap
features, zap testing procedure, and how to finding issues.
Chapter 4 Result
Explain about the result of research, analysis and discussion about the test result of
the experiment that already finished and the comparison of web vulnerability of
Indonesian ecommerce websites
Chapter 5 Conclusion And Further Work
Explain about the conclusion that concluded from the previous chapter and also a
recommendation for future works on this topic.
CHAPTER 2
LITERATURE REVIEW
2.1 Web Vulnerability

2.1 .1 Introduction
In computer security, vulnerability is a weakness which allows an attacker to
reduce a system's information assurance.
Vulnerability is the intersection of three elements: a system susceptibility or
flaw, attacker access to the flaw, and attacker capability to exploit the flaw [15]. In
order to exploit vulnerabilities, the attacker must have at least one applicable tool or
technique that can connect to a system weakness security hole.
According to NIST SP 800-37, ―vulnerability analysis and assessment is an
important element of each required activity in the NIST Risk Management
Framework (RMF) ‖ . This RMF comprises six steps, into each of which
vulnerability analysis and assessment is to be integrated [14]:
a. Information System Categorization.
b. Security Controls Selection.
c. Security Controls Implementation.
d. Security Controls Assessments.
e. Information Systems Authorization.
f. Security Controls Monitoring.
Integration is done by the vulnerability assessment tools, by automating the
detection, identification, measurement, and understanding of vulnerabilities found in
ICT components at various levels of a target ICT system or infrastructure.
Vulnerability is an attribute or characteristic of a component that can be exploited by
either an external or internal agent (hacker or malicious insider) to violate a security
policy of (narrow definition) or cause a deleterious result in (broad definition) either
the component itself, and/or the system or infrastructure of which it is apart. Such ―
deleterious results ‖ include unauthorized privilege escalations or data/resource
accesses, sensitive data disclosures or privacy violations, malicious code insertions,

denials of service, etc [14].
Such tools are often referred to as vulnerability scanners, because their means
of vulnerability detection is to scan targets (usually network services and nodes, and
the operating systems, databases, and/or Web applications residing on those nodes) in
an attempt to detect known, and in some cases also unknown, vulnerabilities [14].
Improving the scanning techniques of Web Application scanners will allow
them to achieve better performance and, therefore, increase their credibility. However,
in order to understand and improve web application scanners, the common
vulnerabilities that they aim to detect must be understood first.
2.1.2 Vulnerability Assessment Tools
Vulnerability assessment tools generally work by attempting to automate the
steps often employed to exploit vulnerabilities: they begin by performing
a ―footprint‖ analysis to determine what network services and/or software programs
(including versions and patch levels) run on the target. The tools then attempt to find
indicators (patterns, attributes) of, or to exploit vulnerabilities known to exist, in the
detected services / software versions, and to report the findings that result. Caution
must be taken when running exploit code against ―live‖ (operational) targets,
because damaging results may occur. For example, targeting a live Web application
with a ―drop tables‖ Standard Query Language (SQL) injection probe could result in
actual data loss. For this reason, some vulnerability assessment tools are (or are
claimed to be) entirely passive. Passive scans, in which no data is injected by the tool
into the target, do nothing but read and collect data. In some cases, such tools use
vulnerability signatures, i.e., patterns or attributes associated with the likely presence
of a known vulnerability, such as lack of a certain patch for mitigating that
vulnerability in a given target. Wholly passive tools are limited in usefulness
(compared with tools that are not wholly passive) because they can only surmise the
presence of vulnerabilities based on circumstantial evidence, rather than testing
directly for those vulnerabilities.
Most vulnerability assessment tools implement at least some

intrusive ―scanning‖ techniques that involve locating a likely vulnerability (often
through passive scanning), then injecting either random data or simulated attack data
into the ―interface‖ created or exposed by that vulnerability, as described above, then
observing what results. Active scanning is a technique traditionally associated with
penetration testing, and like passive scanning, is of limited utility when performed on
its own, as all the injected exploits would be ―blind‖, i.e., they would be launched at
the target without knowing its specific details or susceptibility to the exploits. For this
reason, the majority of vulnerability assessment tools combine both passive and
active scanning; the passive scanning is used to discover the vulnerabilities that the
target is most likely to contain, and the active scanning is used to verify that those
vulnerabilities are, in fact, both present and exposed as well as exploitable.
Determining that vulnerabilities are exploitable increases the accuracy of the
assessment tool by eliminating the false positives, i.e., the instances in which the
scanner detects a pattern or attribute indicative of a likely vulnerability that which,
upon analysis, proves to be either (1) not present, (2) not exposed, or (3) not
exploitable. It is the combination of passive and active scanning, together with
increased automation, which has rendered automated penetration testing suites more
widely useful in vulnerability assessment.
Most vulnerability assessment tools are capable of scanning a number of
network nodes, including networking and networked devices (switches, routers,
firewalls, printers, etc.), as well as server, desktop, and portable computers. The
vulnerabilities that are identified by these tools may be the result of programming
flaws (e.g., vulnerabilities to buffer overflows, SQL injections, cross site scripting
[XSS], etc.), or implementation flaws and misconfigurations. A smaller subset of
tools also provides enough information to enable the user to discover design and even
architecture flaws.
The reason for ―specialization‖ of vulnerability assessment tools, e.g.,
network scanners, host scanners, database scanners, Web application scanners, is that
to be effective, the tool needs to have a detailed knowledge of the targets it will scan.
Web application and database vulnerability scanners look for vulnerabilities that are
traditionally ignored by network- or host-level vulnerability scanners [14].
Even custom-developed Web application and/or database application often
use common middleware (e.g., a specific supplier’s Web server, such as Microsoft®
Internet Information Server [IIS] or Apache®), backends (e.g., Oracle® or
PostgreSQL), and technologies (e.g., JavaScript®, SQL) that are known or
considered likely to harbor certain types of vulnerabilities that cannot be identified
via signature based methods used by network- and host-based vulnerability analysis
tools. Instead, Web Application scanners and database scanners directly analyze the
target Web application or database, and attempt to perform common attacks against it,
such as SQL injections, XSS, least privilege violations, etc [14].
2.1.3 Web Vulnerability Attack Threats
The Open Web Application Security Project (OWASP) security community
has released its annual report capturing the top vulnerabilities and risks in web
application development as a combination of the probability of an event and its
consequence [6]. The OWASP Top Ten vulnerabilities are:
a. . Injection
b. Cross-Site Scripting (XSS)
c. Broken Authentication and Session Management
d. Insecure Direct Object References
e. Cross-Site Request Forgery (CSRF)
f. Security Misconfiguration
g. Insecure Cryptographic Storage
h. Failure to Restrict URL Access
i. Insufficient Transport Layer Protection
j. Un-validated Redirect and Forward
Each of the OWASP Top Ten vulnerabilities is described in detail in corresponding
sections that illustrate how to exploit flaws.
a. Injection
Many types of vulnerabilities, including SQL Injection (SQLI), belong to the
general class of injection flaws. Introducing malicious data into a computer program
causes an injection attack [16]. The process of how someone do SQL injection can be
seen in picture 2.1. Malicious data can enter the program at specific places and later
are exploited by an attacker.
Figure 2.1 Flowchart of SQL injection

Apart from SQLI, there are other prominent examples for injection
vulnerabilities: XML injection [17], OS commands injection [18], and SSI injection
[19]. In this thesis, SQLI vulnerability type is the focus, because it occurs more
frequently in real world applications than the other types of Injection vulnerability.
SQLI vulnerability occurs when there is a possibility of tricking the SQL engine into
executing unintended commands. In dynamic SQL statements, an attacker supplies
malicious data to a vulnerable application. This data is used to perform SQLI attacks
that can be executed on any web application based on almost any web technologies,
like Java, ASP.NET and PHP with any type of SQL database at the back-end [20-22].
For example, in August 2011, an Anonymous group attacked the Bay Area
Rapid Transit (BART) service by hacking into one of its websites and leaking the
personal information of over 2,400 passengers [23].
b. Cross-Site Scripting (Xss)
Cross Site Scripting (XSS) vulnerability occurs when there is a possibility of
injection of malicious code in web application(the process can be seen in picture 2.2).
Thus, the XSS flaw is as a result of not validated or sanitized input parameters. There
are three types of XSS: Non-Persistent, sometimes also called Reflected XSS;
Persistent or Stored XSS; and Document Object Model (DOM) based [14].
Non-Persistent XSS Vulnerability
This vulnerability occurs when a web application accepts an attacker’s malicious
request that is then echoed into the application's response in an unsafe way. As
shown in Figure 2.2, the attacker sends an email that contains a link. User clicks the
link and a request with a payload is sent to a page vulnerable to XSS. The page
accepts the malicious data (script), adds it in the response, and returns to the user’s
browser. The user’s browser interprets the page and injected script is executed.
Figure 2.2 Cross Site Scripting (XSS) process

This vulnerability doesn’t involve server validation. The attack works on a
web browser, avoiding the server side [25]. The DOM ‘environment’ in the victim’s
browser is modified by original client-side script, and as a result of that, the payload
is executed.
c. Broken Authentication And Session Management
The user authentication on the web typically involves the use of a user’s ID
and password. Stronger methods of authentication are commercially available, such
as software- and hardware-based cryptographic tokens [26] or biometrics [27]. But

these mechanisms are cost-prohibitive for most web applications. When the
authentication mechanism does not provide enough protection, an attacker can try to
obtain credentials by using different techniques or some other combination. Simple
password recovery mechanisms can become victims of a social engineer who
manipulates a user into revealing confidential information.
d. Insecure Direct Object References
There are many applications that expose their internal objects to users. This
may cause Insecure Direct Object Reference Vulnerability, a situation when files,
directories, and database records are exposed to a user. “The threat of insecure direct
object reference flaws has become commonplace with the increased complexity of
web applications that provide varying levels of access to enable users to gain entry to
some components, but not others” (29). It refers to a provision in the web application
where references to internal objects are directly exposed. According to OWASP.
For example, a web server is configured to interpret command line path
strings, such as ‘../’. An attacker takes advantage of this configuration and accesses
files from other locations in the file system by manipulating the path string. An
incorrect web server configuration, like the one described above is considered
Insecure Direct Object Reference vulnerability.
e. Cross-Site Request Forgery (Csrf)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP
request, including the victim’s session cookie and any other authentication
information, to a vulnerable web application.This allows the attacker to force the
victim’s browser to generate requests the vulnerable application thinks are legitimate
requests from the victim[6][30][31]. The sceme of CSRF can be seen in picture 2.3
Figure 2.3 CSRF Scheme

f. Security Misconfiguration
Security depends on having a secure configurationdefined for the application,
framework, web server,application server, and platform. All these settings should
bedefined, implemented, and maintained, as many are notshipped with secure defaults
[6].
g. Insecure Cryptographic Storage
Insecure Cryptographic Storage vulnerability occurs when a web application is
failing to encrypt sensitive data. It can be broken down into two main areas:
Encryption and Hashing. One cause of this vulnerability is insecure data transfer.
Sensitive user information, like credit card numbers or passwords, is sometimes sent
to a server without being encrypted. Payment Card Industry (PCI) Data Security
Standard [32] requires encrypting the transmission of cardholder data across open,
public networks, including the Internet and Wireless Technologies [33]. Another
cause of the vulnerability is that developers do not know which data must be
protected with the use of encryption. They store the data as plain text, assuming that
no one has access to the website database. Hashing is a one-way function. Similar to
encryption, hashing should be used for securing passwords. There are a number of
techniques employed in cracking hashed data.
Finding the flaw in encryption or hashing functions can be a very difficult task,
so usually an attacker tries some other options to exploit Insecure Cryptographic
Storage Vulnerability. For example, due to the fact that a hashed password can't be
reversed, it is theoretically impossible to crack someone's password. But with
dictionary attacks, the match can be found. Another widely used approach is the use
of rainbow tables [34]; an example is when an attacker stores a table of data that
contains passwords and the hashed value for each password. By comparing hash
values, it is possible to determine the corresponding password.
h. Failure To Restrict URL Access
Many web applications check URL access rights before rendering protected
links and buttons. However,applications need to perform similar access control
checkseach time these pages are accessed, or attackers will be able toforge URLs to
access these hidden pages anyway [6].
Failure to restrict URL Access vulnerability usually occurs when unauthorized
users are able to access the content of web pages that are only intended to be viewed
by users with special privileges, for example administrators. In 2007, the Macworld
Conference & Expo web site failed to restrict special URL access to a Steve Jobs
keynote speech and let users get “Platinum” passes worth nearly $1,700, all for free
[35].
i. Insufficient Transport Layer Protection
Applications frequently fail to encrypt network trafficwhen it is necessary to
protect sensitive communications.When they do, they sometimes support weak
algorithms, useexpired or invalid certificates, or do not use them correctly [6].
j. Un-Validated Redirect And Forward
Web applications frequently redirect and forward usersto other pages and
websites, and use untrusted data todetermine the destination pages. Without proper
validation,attackers can redirect victims to phishing or malware sites, oruse forwards
to access unauthorized pages [6].
2.1.4 Web Application Vulnerability Scanners

One of the categories of web application vulnerability scanners includes those
that are developed in academia. These scanners are different from free/opensource
and commercial scanners because the researchers who work on them are continuously
evaluating them and also discuss not only where their design succeeds, but where
their design is limited and requires future work. These scanners are not available for
public use, so they cannot be used in this analysis of web vulnerability scanner
limitations, but reviewing the techniques and methods used by these scanners will
help in understanding how other web application scanners work [36].
Huang et al. developed a web application scanner called WAVES that
attempts to reduce the number of potential side effects of black-box testing [37, 38].
The auditing process of web application scanners can cause permanent modifications,
or even damage, to the state of the application it is targeting. This is a drawback that
both commercial and open-source/free web application scanners share, and is why the
authors introduced a testing methodology that would allow for harmless auditing.
Their experimental results found that WAVES was unable to detect any new
vulnerability that were not already detected by a static source code analyzer they had
developed. Also, WAVES was unable to discover all of the vulnerabilities that the
static source code analyzer had found (detected only 80% of the vulnerabilities found
by the static analyzer). The authors believe their tool failed in part because it did not
have complex procedures able to detect all data entry points, and because it was
unable to observe HTML output.
Another academic black-box approach was developed by Antunes and Viera
as described in [39]. Their web vulnerability scanner was used to identify SQL
injection vulnerabilities in 262 publicly available web services. The first step in their
approach was to prepare for the tests by obtaining information regarding the web
service in order to generate the workload (valid web service calls). The second step
was to execute the tests. This was accomplished by using a workload emulator that
acted as a web service consumer, and by using an attack load generator that
automatically generated attacks by injecting them into the workload test calls. The
final step in their approach was to analyze the responses by using a set of well-
defined rules which would identify vulnerabilities and exclude potential false-
positives. Their results showed that they achieved a detection coverage rate of 81% in
the scenario where they had access to the known number of vulnerabilities, and
maintained a false-positive rate of 18% in their optimistic interpretation. These results
are better than those of the commercial tools that the authors analyzed, and suggest
that it is possible to improve the effectiveness of vulnerability scanners [36].
a. Free/Open-Source Web Application Scanners
Many open-source and free web application scanners are available for
blackbox testing and analysis. Some of these applications provide extensive
functionality with the ability to be customized and expanded to meet the needs of
users. Others however do not provide a great deal of usability and have a limited
amount of functionality, and therefore can only test for a few web application
vulnerabilities. Three of the more thorough and robust free/opensource scanners,
Grendel-Scan [42], Wapiti [43], and W3AF [44], OWASP ZAP will be reviewed.
Grendel-Scan [135] is an open-source web application security testing tool
which has an automated testing module for detecting common web application
vulnerabilities. It has the ability to find simple web application vulnerabilities, but its
designers state that no automated tool can identify complicated vulnerabilities, such
as logic and design flaws. Grendel-Scan tests for SQL injection, XSS attacks, and
session management vulnerabilities, as well as other vulnerabilities.
Wapiti [136] is a free web application vulnerability scanner and security
auditor. It performs black-box analysis by scanning the web pages of a web
application in search of scripts and forms where data can be injected. After the list of
scripts and forms is gathered, Wapiti injects payloads to test if the scripts are
vulnerable. Wapiti scans for remote file inclusion errors, SQL and database injections,
XSS injections, and other vulnerabilities.
W3AF [44] is exactly what it stands for, a Web Application Attack and Audit
Framework. The goal of the project is to create a framework which can find and
exploit web application vulnerabilities easily. The project’s long term objectives are
for it to become the best open source web application scanner, and the best open
source web application exploitation framework. Also, the designers want the project
to create the biggest community of web application hackers, combine static code
analysis and black box testing into one framework, and become the NMAP [45] of
the web. W3AF incorporates a great deal of plug-ins into its framework, and is
capable of testing for SQL injection, XSS attacks, buffer overflow, malicious file
execution, and session management vulnerabilities.
OWASP ZAP ZED Attack Proxy is an OWASP flagship project, also known
as ZAP. These tools will be explaind in detail in the next chapter.
b. Commercial Web Application Scanners
Commercial web application scanners are generally licensed to companies or
organizations that wish to test their web applications for vulnerabilities so that they
can fix security holes before they are maliciously exploited. Since a data breach can
result in the loss of personal information of thousands of customers, and the loss of
millions of dollars, companies are willing to pay large sums of money for these
applications. These commercial applications compete against each other for market
share, and therefore do not want to disclose their scanner’s limitations or restrictions.
However, an approach to analyze these limitations and restrictions is proposed in this
thesis. Some of the features of popular commercial web application scanners will be
discussed below [41].
Cenzic [46] sells a web application scanner tool called Hailstorm which utilizes
stateful testing. Stateful testing tools are designed to behave like human testers by
taking what seem to be an application’s insignificant or disparate weaknesses, and
combining them together into serious exploits. The key benefits that Hailstorm claims
are the ability to identify major security flaws in target applications, to help with
internal compliance policies, to avoid vulnerabilities that lead to downtime, and to
assess applications for commonly known vulnerabilities. Cenzic provides a 7-day free
trial of Hailstorm Core which can detect vulnerabilities including SQL injection,
XSS , and session management.
Acunetix Web Vulnerability Scanner [40] is another black-box tool which

claims in-depth checking for SQL injection, XSS, and other vulnerabilities with its
innovative AcuSensor Technology. This technology is supposed to quickly find
vulnerabilities with a low number of false-positives, pinpoint where each
vulnerability exists in the code, and report the debug information as well. Acunetix
also includes advanced tools to allow penetration testers to fine tune web application
security tests, and has many more features to scan websites with different scan
options and identities. The only vulnerability that the free edition of the software
detects is XSS, but a 30-day trial version of the product is available that also can
detect SQL injection, file execution, session management, and manual buffer
overflow attacks.
N-Stalker [47] provides a suite of web security assessment checks to enhance
the overall security of web applications. It is founded on the technology of
Component-oriented Web Application Security Scanning, and allows users to create
their own assessment policies and requirements, enabling them to check for more
than 39,000 signatures and infrastructure security checks. Vulnerabilities checked for
include SQL injection, XSS attacks, buffer overflows, and session management
attacks, but the evaluation edition only lasts for a 7-day period.
Netsparker [48] is a web application vulnerability scanner developed by
Mavituna Security Ltd. Netsparker is focused on eliminating false-positives, and uses
confirmation and exploitation engines to ensure that false-positives are not reported.
The engines also allow the users to see the actual impact of the attacks instead of text
explanations of what the attack could do. Because of the techniques Netsparker uses,
Mavituna Security claims that it developed the first false-positive free web
application scanner. Netsparker scans for all types of XSS injection, SQL injection,
malicious file execution, and session management vulnerabilities.
Burp Scanner [49] is a web application vulnerability scanner that is part of
Burp Suite Professional. Burp Suite Professional is the commercial version of Burp
Suite, which is an integrated platform for attacking and testing web applications. Burp
Suite provides a number of tools, including an interception web proxy, web spider,
application intruder, session key analyzer, and data comparer. The professional
version includes Burp Scanner which can operate in either passive or active mode, or
either manual scan or live scan mode. The vulnerabilities it searches for include SQL
injection, XSS injection, and session management vulnerabilities.
Rational AppScan [50] is licensed by IBM for advanced web application
security scanning. The AppScan tool automates vulnerability assessments and tests
for SQL injection, XSS attacks, buffer overflows, and other common web application
vulnerabilities. AppScan can generate advanced remediation capabilities in order to
ease vulnerability remediation, simplify results with the Results Expert wizard, and
test for emerging web technologies. Rational AppScan provides an unlimited
evaluation period for its standard edition; however, with the evaluation license the
software is only capable of testing a test web site provided by AppScan.
BuyServers Ltd. [51] sells a web vulnerability scanner called Falcove which is
a 2-in-1 scanning and penetration tool, meaning that it not only tries to detect
vulnerabilities, but is capable of exploiting them as well. Falcove utilizes a crawler
feature that checks for web vulnerabilities, audits dynamic content (password fields,
shopping carts), and generates penetration reports that explain the security level of the
tested web site. However, BuyServers Ltd. no longer supports the trial version of the
product that detects SQL injection, XSS, and file execution attacks.
HP’s WebInspect [52] software provides web application security testing and
assessment for complex web applications. WebInspect claims fast scanning
capabilities, broad security assessment coverage, and accurate web application
security scanning results. HP also believes WebInspect identifies security
vulnerabilities that are undetectable by traditional scanners by using innovative
assessment technologies such as simultaneous crawl and audit, and on current
application scanning. HP WebInspect scans for data detection and manipulation
attacks, session and authentication vulnerabilities, and server and general HTTP
vulnerabilities, but does not currently provide a working evaluation version of the
product.
NT OBJECTives’ NTOSpider [53] is a web application security scanner that

claims to provide automated vulnerability assessment with unprecedented accuracy
and comprehensiveness. NTOSpider identifies application vulnerabilities and ranks
threat priorities, as well as produces graphical HTML reports. NT OBJECTives’
proprietary S3 Methodology and Data Sleuth intelligence engine are employed for
automation and accuracy, and checks vulnerabilities on a case-by-case basis, which
provides contextsensitive vulnerability checking. NTOSpider checks for SQL
injection, XSS attacks, and session management vulnerabilities, but does not provide
a trial version for evaluation.
2.2 Indonesian Ecommerce Website
2.2.1 Growth Of Indonesian Ecommerce Website
The Indonesian ecommerce market has enjoyed dramatic growth over the last
five years, upending a long-held view among local venture capital firms and
businesses that Indonesia was underperforming compared to its regional rivals.
Recent estimates by Macquarie Bank suggest the Indonesian market has grown 60–70
per cent annually since 2014 and will expand from US$8 billion in 2016 to US$60
billion in 2020. This is expected to generate new opportunities for ecommerce sites
and their businesses [54].
Indonesia’s ecommerce landscape experienced investment of at least US$2.5
billion over the last three years, paving the way for businesses to list and sell their
products online. In 2015 there were 18 million online shoppers in Indonesia; Google
and Temasek expect this to grow to 119 million by 2025. Underpinning the growth in
online transactions in Indonesia are local ecommerce giants (such as Lazada,
Tokopedia and Bukalapak) that provide businesses with a platform to set-up an online
storefront, accept transactions and, in Lazada’s case, warehouse and deliver goods to
customers [54].
Despite recording significant year-on-year growth of 60-70 per cent since
2014, the Indonesian ecommerce market is still relatively small (US$8 billion)
compared to regional pace-setter, China, with sales of US$692 billion.4 In 2016,
Indonesia’s ecommerce sales as a percentage of total annual retail sales amounted to

1.6 per cent, compared to 13 per cent in China [4].
2.2.2 Top Ten Indonesian Emerse Website
These are top ten ecomerse websites used as research objects. These website
were selected based on the results of the SainsOne Data research. They released a
study on the position and growth of ecommerce consumer goods in Indonesia during
the first and second quarters of 2017. IlmuOne Data is a data and digital analytics
consultant that helps companies get local data analytics solutions. The study
conducted using data comScore, a global company engaged in the measurement and
analytics media. They play a role in increasing the audience's value and advertising.
In this study, Science Data using comScore analyzes the behavior of home and office
desktop users aged 6 and above, as well as Android and smartphone users aged 18
and above. ComScore data is 67 million digital populations, used to measure and
evaluate how ecommerce and marketplace compete with each other [55]. Those ten
websites are lazada.co.id, mataharimall.com, blibli.com, zalora.co.id, jd.id,
tokopedia.com, elevenia.com, shopee.com, bukalapak.com, qoo10.com
a. Lazada.co.id
Lazada Indonesia is an online shopping site that offers various types of
products, ranging from electronics, books, children's toys and baby equipment,
medical devices and beauty products, household appliances, and traveling and sports
equipment. Mazada was launched in March 2012 and is growing rapidly to date.
Lazada Indonesia is one part of Lazada Group's online retail network which operates
in six countries in Southeast Asia, consisting of Lazada Indonesia, Lazada Malaysia,
Lazada Thailand, Lazada Vietnam, lazada Singapore and Lazada Philippines with a
total user of 550 million users out of the total these six countries. The homepage of
Lazada can be seen in picture 2.4
Figure 2.4 Homepage of Lazada.com.

Lazada is a company engaged in ecommerce and online buying and selling
services, the result of the development of the German internet technology incubator,
Rocket Internet. Internet rockets have also succeeded in creating various innovative
and creative companies in various parts of the world, headquartered in Berlin,
Germany. Other projects owned by Rocket Internet in Indonesia include zalora,
foodpanda, traveloka. In the early stages of its development Rocket Internet helped a
lot from recruiting experts, injecting funds, and implementing the technology
platform. But after lazada was able to develop independently, Rocket Internet was no
longer heavily involved in its operational activities. At this time Rocket Internet has
more role in terms of investment and funding. In addition to Rocket Internet, lazada
also received an injection of funds from several large investors such as; JP Morgan,
Tesco, Temasek Holdings, Summit Partners, Kinnevik Investment AB, Access
Industries, and Verlinvest with total funding of around $ 620 billion. In April 2016,
Alibaba Group officially acquired a majority stake in Lazada Group worth US $ 1
billion[56][57].
Lazada as a company engaged in ecommerce retail in Indonesia hopes to
provide convenience for the community in buying various types of products from
various categories, from electro-mechanical products, home decor, health products to

beauty products, by simply accessing the site and application from Lazada. Supported
by multiple payment facilities including cash-on-delivery, providing convenience for
consumers, especially in Indonesia, to get the latest items they want. In addition to
providing lazada transaction convenience, it also provides various promos and
discounts at cheap discounts and offers that are certainly attractive to buyers. For
information about all products can be accessed on the Lazada Indonesia website,
lazada.co.id. Lazada is a pioneer of ecommerce in some of the fastest growing
countries in the world with several fast, safe and comfortable online shopping
experiences. For Lazada the highest priority is to create the best online shopping
experience for every customer in Indonesia.
b. Mataharimall.com
MatahariMall.com is one of the largest ecommerce in Indonesia. They provide
various types of products ranging from fashion for men and women, health & beauty,
gadgets, electronics, lifestyle, hobbies, household appliances and more.
MatahariMall.com was first announced on February 25, 2015 by the Lippo
Group which is the largest multi-format retail company in Indonesia, Lippo Group
which also manages Matahari Department Store and Hypermart. Since its inception,
the Lippo Group has prepared MatahariMall.com to become a trading site in
Indonesia[58][59]. To support this, the Lippo Group budgeted an investment fund of
500 million US dollars or around six trillion rupiah[60].
MatahariMall.com is the first online retailer in Indonesia to adopt the O2O
shopping method (Online-to-Offline and Offline-to-Online) that enables consumers to
pay, collect and return their products at Matahari Department Store in Indonesia.
MatahariMall entrusts aCommerce for Marketing & Delivery services[61].
There is a difference between MatahariMall.com and other marketplaces, the
concept of online to offline. Its application utilizes the Matahari Department Store
retail network. Hadi explained that Mataharimall customers can shop online and pick
up their ordered items directly at the store. In addition, there are also elocker services.
The e-locker in question is a locker placed at a certain point as a place for taking
customer orders. This is intended to be able to access the locker, the customer is
given a special code. The homepage of Mataharimall can be seen in picture 2.5
Figure 2.5 Homepage of mataharimall.com.

c. Blibli.com
Blibli.com is one of the ecommerce in Indonesia with the concept of shopping
mall-style online. With this concept Blibli hopes that Indonesian people who are used
to shopping at the mall can find the items they are looking for easily and pleasantly
wherever and whenever. Blibli is the first product of PT Global Digital Niaga which
is a subsidiary of Djarum in the digital field which was founded in 2010[62]. Blibli
works with world-class technology providers, logistics partners, banking partners and
partner merchants with certain standards to create a back-end system that can meet
blibli user needs [63]. Currently Djarum Group through Global Digital Prima
Ventures (GDP) for example, formed an incubator named Merah Putih Inc, a
community-based local start-up incubator and provided capital assistance for
innovative local start-ups. Blibli's head office is headquartered in West Jakarta with
infrastructure costs such as servers and networks reaching almost Rp 100 billion[64].
Currently Blibli.com does not have an offline store yet. Purchases can only be
made through the Blibli.com website. Blibli.com is also not included in the category
of buying and selling sites where people can directly sell and buy. Visitors cannot do
sell (sell) activities on Blibli.com without certain cooperation agreements.
Currently Blibli.com works with trusted banking partners and all transactions
are guaranteed to be safe with VeriSign certification, Verified by VISA, MasterCard
SecureCode and Credit Card Fraud Detection System. The homepage of Blibli can be
seen in picture 2.6.
Figure 2.6 Homepage of Blibli.com
d. Zalora.co.id
ZALORA Indonesia is a shopping website that provides fashion clothing
needs consisting of various brands of products, both local and international. Zalora
Indonesia, established in 2012 by Catherine Sutjahyo, [65] is part of the Zalora Group
in Asia which consists of Singapore's Zalora, Zalora Malaysia, Zalora Vietnam,
Zalora Taiwan, Zalora Thailand and Zalora Philippines. [66]
Zalora is a subsidiary of the online shopping site Zalando. Zalando is a project
from Rocket Internet. [67] In Indonesia Zalora is under the auspices of and managed
by PT Fashion Eservices Indonesia. [68] Sites in each country ensure that fashion
products are tailored to each country's taste and adapt their preferences. With a choice
of more than 500 local and international brands, Zalora bring fashion into a
dimension that is better than before. Zalora offer women's clothing, men's clothing,
shoes, accessories, sports equipment, Muslim fashion, and more. This is what makes
Zalora the main fashion destination in Indonesia. In just a few years, this website has
revolutionized the fashion scene in Asia, starting with your shopping habits to shape
your personal style. More than 30,000 online products and hundreds of new products
every week. Zalora is a means of providing fashion that is balanced with the latest
technology that will give the costomer an unparalleled online shopping experience.
ZALORA is part of the Global Fashion Group, the world's leading fashion
group. Established in 2011 and dedicated to making online fashion companies in
developing countries. Until now, the Global Fashion Group operates in 27 countries.
Global Fashion Group is present in India, Middle East, South America and Russia.
Through ZALORA, the Global Fashion Group is able to access markets in the
Tenggrara Asia, while ZALORA seeks to become a fashion destination in Southeast
Asia.
This online shopping site is one of the branches of the largest online store in
Europe, Zalando. In Asia, the name is Zalora, which has sister companies in eight
countries, such as Indonesia, Malaysia, Singapore, Vietnam, Taiwan, Hong Kong,
Thailand, and Philippines. Zalora with confidence that e-commerce businesses in the
country will succeed. Because access to small areas is still lacking, with Zalora
everyone has access. Its development is supported by the cooperation of the Zalora
team in marketing their web-store. Starting from online promotions, such as through
Google, Facebook, Twitter, etc. The homepage of Zalore can be seen in picture 2.7.
Figure 2.7 Homepage of Zalora.com.

The sales system on Zalora is a B2C (Business to Customer) where their
target marketing is individuals. The sales system at Zalora wants to provide a
different experience from physical purchases. Zalora focuses on selling products such
as clothing, shoes, bags, accessories, sports, and even beauty products[69].
Zalora provides security for the payment process by making payment
transactions via ATM Transfer, and if it still does not believe or the rough language is
afraid of being deceived, zalora provides facilities for direct payment of COD (Cash
On Delivery) when the goods arrive. Zalora guarantees the security of data inputted
by the customer.
Zalora uses 128-bit SSL (secure sockets layer) encyption technology when
processing consumer financial details. To crack 128-bit SSL encryption will take as
little as one trillion years, and this is the current industry standard.
e. Jd.id
JD.ID is an e-commerce mall operating in Jakarta, Indonesia. JD.ID was
formed as a collaboration between JD.com and an Indonesian partner. JD.com is one
of the largest online B2C stores in China by number of transactions. JD.com is
"Alibaba's biggest rival, the Chinese market leader. [70] In Indonesia, JD.ID works
with Provident Capital. [71]
JD.com (also known as JingDong Mall), which is the parent company of
JD.ID, was built by Liu Qiangdong (known as Richard Liu) in July 1998 as a physical
store selling magneto-optical products in Beijing, China, under the name Jingdong
Century Trafing Co., Ltd. The company's online B2C site rose online in January 2004
with the domain name jdlaser.com then 360buy.com in 2007. Finally the domain
name was changed again to JD.com in March 2013 [72]. The homepage of Jd.id can
be seen in picture 2.8.
Figure 2.8 Homepage of JD.id

Following launching the company's online site, Liu quickly began adding the
number of types of products offered, with categories such as gadgets and electronics
such as smartphones and computers, books, beauty products, etc. in 2015, JD.com
managed to meet more than 1.26 billion orders from Active site users are more than
150 million people. The volume of these transactions constituted around 49% of the
total online retail sales throughout China [73].
JD.ID began operating in Indonesia since October 2015 [74]. At first, they
focused on providing customers with hard-to-find electronic and gadgets products,
such as Apple's iPad Pro and A2010 from Lenovo, which was launched at the end of
2015. Since then they have expanded their product offerings and included categories
such as shoes and apparel body and also beauty and health products.
The JD.ID website address that uses Indonesian country-code top-level
domains (.id) was chosen to symbolize their commitment to provide faster and safer
services. [75] According to reports, the domain name requires funds of Rp.
500,000,000 (~ US $ 38,000) to obtain. [76]
f. Tokopedia.com
Tokopedia is an Indonesian technology company, sometimes referred to as a
unicorn. It was founded in 2009 by William Tanuwijaya. As of November 2018, the
e-commerce operator is valued at about $7 billion. Tokopedia describes its mission as
democratizing commerce through technology [77-80].
PT Tokopedia was founded by William Tanuwijaya and Leontinus Alpha
Edison on February 6, 2009. The company manages Tokopedia.com, which was
publicly launched on August 17. Since it was officially launched, Tokopedia
managed to become one of Indonesia's internet companies that grow rapidly.
PT Tokopedia received initial seed funding from PT Indonusa Dwitama in
2009 of IDR 2.5 billion. In the following years, Tokopedia attracted capital injections
from global venture capitals including East Ventures (2010), CyberAgent Ventures
(2011), NetPrice (2012), and SoftBank Ventures Korea (2013). In October 2014,
Tokopedia managed to make history as the first technology company in Southeast
Asia to receive a US$100 million investment (around IDR 1.2 trillion) from Sequoia
Capital and SoftBank Internet and Media Inc (SIMI). In April 2016, Tokopedia raised
another $147 million [81]. In 2017, Tokopedia received $1.1 billion investment from
Chinese e-commerce giant Alibaba.[6]. Again in 2018, the company secured $1.1
billion funding round led by Chinese e-commerce giant Alibaba Group Holding and
Japan's SoftBank Group[82] putting its valuation to about $7B [83].
As a technology company, Tokopedia presents four main businesses for its
users. Tokopedia's first product, as well as being the best-known product o is the
marketplace. Tokopedia provides a free C2C business platform for merchants and
buyers. A trading tool that empowers merchants to be able to provide more. There are
also Official Stores for several leading brands. Through its marketplace products,
Tokopedia offers millions of products that are divided into 25 big categories.
In the marketplace, Tokopedia also provides digital products such as credit,
BPJS payments, electricity and water, telephone bills, credit cards, and so on. There
are also flight tickets, events, games voucher, and other digital products.
In 2016 Tokopedia spread its wings by presenting financial technology
(fintech) products. Tokopedia fintech products consist of digital wallets, affordable
investments, business capital loans, virtual credit cards, protection products, credit
scoring based on data for a loan, and other financial services.
Recently in 2018 Tokopedia launched Mitra Tokopedia application. This
application is intended to enable everyone, especially small businesses' owners to be
able to sell Tokopedia digital products such as data packages, electricity tokens, BPJS,
game vouchers, and so on.
On December 12, 2018, Fortune reported that PT Tokopedia had raised
another $1.1 billion [84]. As of April 2015, Tokopedia.com claims to have more than
4.9 million active product listings, facilitating sales of more than 5 million products
every month [85]. Today, Tokopedia has over 80 million monthly active users and
over 4 million merchants on the platform, 70% of the merchants are the first-time
entrepreneurs. For its role in developing online business in Indonesia, Tokopedia won
the 2014 Marketeers of the Year award for the e-Commerce sector, at the 2015
Markplus Conference held by Markplus Inc. on December 11, 2014. On May 12,
2016, Tokopedia was selected as the Best Company in Consumer Industry of the
Indonesia Digital Economy Award 2016. In 2018, Tokopedia won several awards.
Last May the Tokopedia app successfully topped the Apple Store beating Facebook,
WhatsApp, and Instagram. While on Android, Tokopedia also managed to become #
3 Top Chart on Google Play, beating Facebook and Instagram. In December 2018
Tokopedia was chosen as the best choice for the community on Google Play. The
homepage of Tokopedia can be seen in picture 2.9.
Figure 2.9 Homepage of tokopedia.com

g. Elevenia.com
Elevenia is an online shopping site with an open marketplace concept in
Indonesia that provides convenience and security for shopping online. This site offers
a variety of products which are divided into 8 categories including: fashion, beauty /
health, babies / kids, home / garden, gadgets / computers, electronics, sports / hobbies,
service / food [86]. To this day, it is noted that Elevenia offers more than 4 million
products from 40,000 sellers [87].
The elevenia.co.id site was officially launched on March 1, 2014. It operates
under the auspices of PT XL Planet which is a joint venture company between PT XL
Axiata, Tbk., And SK Planet from South Korea [88]. PT XL Axiata is the second
largest operator in Indonesia and SK Planet is a subsidiary of South Korea's SK
Telecom, the largest operator in South Korea.
In one year, Elevenia also succeeded in reaching 1 million users and sending
more than 400,000 thousand products [89]. In addition, they were also able to earn an
income of 250 billion Rupiah in 2014. In their second year, Elevenia targets to be
able to achieve an income of Rp. 1.1 Trillion [90].
Until March 2016, Elevenia has recorded an average of 20,000 transactions

per day, 2 million members and a total transaction of 1.3 trillion. For that, in their
third year, Elevenia has targeted achieving a GMV of 3.5 trillion In this third year too,
Elevenia has introduced two very important things, namely the new tagline "Click
Search Hepi" and Raisa as the new Elevenia Brand Ambassador [91].
Services provided by Elevenia are not only through desktop devices, Elevenia
can also be accessed through mobile applications that are already available on Google
Play for Android users and also in the Apple Store for iOS users.
Another interesting thing from Elevenia is the facilities and services they
provide to the sellers. The facilities that Elevenia provides include educational
sessions through routine training and seminar programs and photo studio facilities.
They can also consult directly with the CRO team (Customer Relationship Officer).
Through ellerzone.elevenia.co.id Seller can download training tutorials and studio
photos and reservations.
Until 2015, there were more than 5000 sellers already using this facility. The
location of the Seller Zone is not only in one place. Elevenia has three Seller Zone
locations, namely in Mangga Dua, Tanah Abang and Plasa 89.
In addition to making it easy for sellers, Elevenia also does not forget to
provide attractive offers for its members. In Elevenia, there is one special offer every
11th named "Elevenia Day" [92]. In 2015, Elevenia has expanded its services by
presenting airline ticket purchases in Elevenia. This service is a form of cooperation
between Elevenia and Tiket.com [93]. In addition, Elevenia has also launched a new
service called MOKADO (Mobile Kado) in April 2016[94] . The homepage of
Elevania can be seen in picture 2.10.
Figure 2.10 Homepage of elevania.com

h. Shopee.com
Shopee (Traditional Chinese: 蝦皮購物 ) is an e-commerce platform
headquartered in Singapore under Sea Group (previously known as Garena), which
was founded in 2009 by Forrest Li [95]. Shopee first launched in Singapore in 2015,
and since expanded its reach to Malaysia, Thailand, Taiwan, Indonesia, Vietnam and
the Philippines [96]. It serves users in Southeast Asia and Taiwan to buy and sell
products online [97]. Due to the mobile and social element built within the concept,
Shopee was described as one of the “5 disruptive ecommerce startups we saw in 2015”
by Tech In Asia [98].
In 2015, Shopee launched in Singapore as a social-first, mobile-centric
marketplace where users can browse, shop and sell on the go [99]. Integrated with
logistical and payment support, the asset-light platform aims to make online shopping
easy and secure for both sellers and buyers [100][101]. The homepage of Elevania
can be seen in picture 2.11.
Figure 2.11 Homepage of shopee.com

Soon after, the app-based platform launched a website to rival other fast
growing e-commerce websites in the region like Lazada, Tokopedia and AliExpress.
To differentiate itself, Shopee offers online shopping security through its own escrow
service called “Shopee Guarantee”,[102] where it withholds payment to sellers until
buyers have received their orders [103].
Shopee first started as primarily a consumer-to-consumer (C2C) marketplace
but has since moved into both a C2C and business-to-consumer (B2C) hybrid model
[104]. As compared to its competitors, Shopee does not charge sellers
fees/commissions and listing fees [96].
It also operates as an asset-light marketplace wherein Shopee does not hold
any inventory or warehousing and relies on third parties for logistics capabilities
[105]. Shopee partners with over 70 courier service providers across its markets to
provide logistical support for its users [106]. In Singapore, it collaborated with
logistics startup, NinjaVan, for item pickup and delivery [107]. Other delivery
partners in the region include Pos Malaysia[108] and Pos Indonesia[109].
As of 2017, the platform recorded 80 million app downloads and more than
180 million active products from over four million entrepreneurs [110]. In Q4 2017, it
also reported a gross merchandise value (GMV) of US$1.6 billion, up 206 per cent
from a year earlier. However, losses in the parent group, Sea are also widening. The
group recorded an adjusted net loss of US$252 million in Q4 2017, up 306 percent
from Q4 2016's US$62 million net loss [111].
These GMV claims have also led to backlash by Alibaba-backed competitor,
Lazada. The former CEO, Max Bittner asserted that GMV numbers can be easily
inflated “by subsidy schemes and history shows that GMV falls away as unhealthy
subsidies are removed.”[106] Nonetheless, in Malaysia, Shopee became the 3rd most
visited e-commerce portal in Q4 2017, replacing Lelong and “overtook Lazada to
rank as the best app on both Google Play and iOS App stores.”[112] Similarly among
consumers in Indonesia, a survey conducted in December 2017 by TheAsianParent
revealed that “for Indonesian mothers, Shopee is a first choice shopping platform
(73%), followed by Tokopedia (54%), Lazada (51%) and Instagram (50%).”[113]
In 2016, Shopee launched an initiative called ‘Shopee University’, a series of
workshops and tutorials to aid local entrepreneurs and businesses in setting up their
online businesses in the Philippines.[114] In 2017, Shopee launched Shopee Mall
with 200 brands in Singapore. The dedicated portal features thousands of products
sold by leading brands and retailers in the region. Shopee Mall was created to offer a
more diverse online shopping experience, and to better cater to larger brands looking
to pursue an omni-channel approach [115]. In 2018, Shopee launched the China
Marketplace portal that offers shoppers easy access to products from Chinese
merchants, without any shipping and agent fees in Singapore. This portal directly
competes with Lazada's Taobao Collection option [116].
Shopee's parent company, Sea Group, filed for an Initial Public Offering on
the New York Stock Exchange (NYSE) in October 2017 for US$1 billion [117].
Tencent is the main beneficiary of the Sea listing with a 39.7% share while Blue
Dolphins Venture — an organization set up by founder Forrest Li — holds 15%. Li
himself has 20%, and Chief Technology Officer, Gang Ye holds 10%.[118] In 2015,
Shopee was awarded the Singapore Startup Of The Year in the second edition of
Vulcan Awards, presented by Singaporean digital publisher, Vulcan Post [119].
i. Bukalapak.com
Bukalapak is one of the leading online marketplace in Indonesia and a
Unicorn company, owned and run by PT Bukalapak.com [120]. Bukalapak literally
means "open a stall" in Indonesian. Anyone can open an online store to then serve
prospective buyers from all over Indonesia either unit or in large quantities.
Individual or corporate users can buy and sell all type of products, both new and used.
Bukalapak was founded by Achmad Zaky and Nugroho Herucahyono in early 2010
as a digital agency division named Suitmedia, based in Jakarta [121-123].
Bukalapak has only been a Limited Liability Company. In September 2011,
After standing more or less a year, Bukalapak received additional capital from
Batavia Incubator (a joint venture of Rebright Partners led by Takeshi Ebihara,
Japanese Incubator and Corfina Group). In 2012, Bukalapak received additional
investments from GREE Venturesled by Kuan Hsu.[124] (a joint company from
Rebright Partners led by Takeshi Ebihara led by Kuan Hsu[125-126]).
In March 2014, Bukalapak announced an investment by Aucfan, IREP, 500
Startups, and GREE Ventures [127]. Not long ago from the news, on March 18, 2014
Bukalapak also launched a mobile app for Android . The application known as mobile
Bukalapak was created specifically for the sellers to facilitate the seller in accessing
his wares and transact via smartphone. Since it was first launched until July 3, 2014,
the application has been downloaded by more than 87 thousand users of Bukalapak.
Although it has only been established for 3 years, Bukalapak has a good
reputation in terms of customer service and its easy-to-access website. Bukalapak also
over time, growing with newest innovations to facilitate Bukalapak users for the
transaction.
On June 25 2014, Bukalapak adds the Quick Buy feature, which allows buyer
to buy goods without having to register new account. When the page pops up, just fill
in the purchase data and buyer selects the Buy Without Account tab. In this stage,
buyer simply enters his/her active email and detail of shipping address. The active e-
mail will be used to send the payment bill and to contact the buyer in case the
transaction error. Therefore, the email is expected to be filled correctly, because it

will affect the verification of the transaction.
Bukalapak has a program to facilitate the existing SMEs in Indonesia to
conduct transactions on sale and purchase online. This is because online transactions
can make it easier for SMEs to sell their products without having an offline store. For
those who already have an offline store, Bukalapak expects that the site can help
increase the offline store sales.
From Emtek's 2015 financial statements (49% owners of Bukalapak shares), it
is known that Bukalapak has obtained investment fund from Emtek totaling up to Rp
439 billion. However, in 2015, Bukalapak is still losing Rp 229 billion, with revenues
of Rp 6.4 billion [128]. In January 2019 the startup raised additional $50 million in
Series D funding [129].
The category of products in this site are, Mobile, Bicycle, Tablet, Gadget
Accessory, Kids, Computer, Laptop, Printer / Scanner, Data Storage Media, Fashion
Men, Fashion Accessories, Electronic Equipment, Audio & Video, Home Appliances,
Baby Equipment, Up to Books or Musical Instruments and others.
Bukalapak transaction payment system is a guarantee of security of sale and
purchase transactions in the payment system also known as Open Wallet. In contrast
to sites that developed in the 2000s are generally advertising and allow sellers and
buyers to communicate directly by phone, but in Bukalapak, sellers and buyers are
not allowed to communicate directly because of potential fraud. In this case
Bukalapak will become a third party mediating transactions between the seller and the
buyer.
When a prospective buyer wants to buy an item from a seller in Bukalapak,
the buyer must make a payment transfer to Bukalapak first. If the transfer has
succeeded, Bukalapak will notify the seller that the payment has been received by
Bukalapak and the seller can make the delivery of goods that have been ordered buyer
via sms message. When the goods arrive at the buyer, the buyer confirms the receipt
of the goods to Bukalapak, and Bukalapak will transfer the purchase money to the
seller. With this guarantee program, if the buyer does not receive the goods until a
certain time limit, the buyer's funds will be refunded 100%. The homepage of
Bukalapak can be seen in picture 2.12.
Figure 2.12 Homepage of bukalapak.com

j. Qoo10.com
Qoo10 is a Southeast Asian e-commerce platform, formerly known as
GMarket, headquartered in Singapore [130][131]. It operates localized online
marketplaces across Singapore, Indonesia, Malaysia, China, and Hong Kong, and on
one international online marketplace. It optimizes its platform and services for small
and medium enterprise merchants [132]. Qoo10 was founded as a subsidiary of
Qoo10 Pvt. Ltd., in 2010 by Giosis Pvt. Ltd.[133], a joint venture between Gmarket
founder Ku Young Bae and eBay. The homepage of Qoo10 can be seen in picture
2.13.
The history of Qoo10 start In December 2007, Gmarket was established in
Japan. Gmarket was next established in Singapore in December 2008.. After that,iIn
April 2009, Ku Young Bae sold Gmarket to eBay . In May 2010, Giosis Pvt. Ltd. was
established as a joint venture between Ku and eBay to further develop Singapore and
Japan marketplaces, and expand in the region [134-139]. In March and April 2011,
Gmarket was established in Indonesia and Malaysia respectively.[citation needed] In
September, Gmarket launched its global marketplace. Next, in May 2012, Gmarket
was rebranded as Qoo10 [140]. In January 2013, Qoo10 was established in China.
Three years latter, in January 2015, Qoo10 was established in Hong Kong.[citation
needed]. In July, Giosis raises US$82.1 million in series a funding from Singapore
Press Holdings, eBay, Oak Investment Partners, Saban Capital Group, Brookside
Capital, and UVM 2 Venture Investments [101-103] The company stated their
intention to use the funds to accelerate Qoo10’s technology growth and service
development, while investing in additional infrastructure and talent acquisition [141-
143]. Finally In April 2018, eBay completes acquisition of Giosis Private Limited and
its Japan properties, including Qoo10.jp, which will operate independently from other
Qoo10 sites [144-146]. eBay relinquishes its stakes in Giosis' non-Japanese
businesses, which are moved under newly established parent company, Qoo10 Pvt.
Ltd.
Figure 2.13 Homepage of qoo10.com

2.3 Related Work

This study aims to analyze vulnerability assessment of ten Indonesian
ecomerse website based on OWASP standard. This section reviews six literatures of
related vulnerability assessment based works.
Rami M. F. Jnena cek tahun present a new analyzing tool for main two web
applications vulnerabilities, which are mainly SQL Injection and Cross Site Scripting
(XSS). To achieve this goal, a dynamically generate test requests that are applied
specifically to a given web application will be applied by the analysis tool. By doing
this analysis, our scanning will be apple to detect vulnerabilities of any web
application regardless if it’s for known web application or custom web application.
The analysis tool will conduct two tests; these t101ests will identify the common web
applications vulnerabilities that are SQL Injections and Cross Site Scripting (XSS).
The new scanning tool has been implemented in Perl scripting language under Linux
environment. The evaluation method used is an automatic exploiting for the detected
vulnerabilities which will verify the existence of vulnerability and minimize the false
positives that may exist by the scanning tool.These tests will be applied on web
applications input parameters so the tests will be parameter-based tests [147].
Samir Kumar Paudel try to find out the effectiveness of OWASP Zed Attack
Proxy, an open source and free integrated penetration testing tool for finding
vulnerabilities in web applications. Besides that, the secondary objectives were to
learn how to make web applications and try to find out the security loopholes of them.
Some vulnerabilities were successfully found by the application (OWASP Zed Attack
Proxy). Besides that, the developed prototype web application is a simple one. To test
the effectiveness of OWASP Zed Attack Proxy in more detail, the web application
should be more complex with various features. Being a prototype, it has limitations
regarding its full intended features. As only few features were implemented in the
prototype, there is a possibility to add more features to the web application as well as
testing it in the future [148].
Martin Kiigemaa analyzes how to create and implement automatic security
testing solution for Skype Web Development team´s web applications so that possible
attack attempts would stay as attempts. It is researched, which open source security
scanner would be wise to implement, considering there is already existing testing
automation framework in place, with what the security scanner should be integrated.
He used omparative analysis of suitable security testing scanners [149].
Fangqi Sun presents novel, practical program analyses to detect web
application vulnerabilities, especially application-specificones. It begins by providing
he first pureclient-side solution to detect XSS worms which exploit XSS
vulnerabilities. This dissertation formulates their respective core characteristics and
introduces corresponding server-side techniques to detect them. Specifically, for
access control vulnerabilities, it describes the first static analysis that infers and
enforces implicit access control assumptions, and for logic vulnerabilities in
ecommerce applications, it presents the first static detection of logic attacks that cause
incorrect payment status [150].
Yuliana Martirosy describes a web application that is intended to be used to
evaluate the efficiency of QualysGuard WAS and Acunetix WVS WAVS. The
application implements real-life scenarios that imitate the Open Web Application
Security Project (OWASP) Top Ten Security Risks that are presented in the wild
[151].
Ismaila Idris, Mohammad Umar Majigi, Shafii Abdulhamid, Morufu Olalere,
Saidu Isah Rambo analyzed security pertaining to 10 Ministries, Department and
Agencies (MDA‟s) websites. We found vulnerabilities in all websites with different
degree of security risk. To achieve the results we have cross tabulated vulnerabilities
found in these websites with their security risk level. As a result the research work
found that vulnerability A4insecure direct object reference with 49% is the main
contributor of web security risk in MDA’s websites. Apart from this it is clearly
evident that majority of the vulnerabilities found in MDA’s websites belongs to
informational risk group with percentage 45.82% but still few high impacting
vulnerabilities exists and needs to be handle without delay [152].
From the description above, it can be seen that the previous research focused
on the implementation and methods for finding security holes on a website. It is still
very difficult to find research related to the security vulnurability on ecommerce

websites in Indonesia. This encourages the writer to do research related to this.
CHAPTER 3
PENETRATION TESTING
3.1 Penetration Testing

3.1.1 Definition
Kevin M Henry defines “Penetration testing is the simulation of an attack on a
system, network, piece of equipment or other facility, with the objective of proving
how vulnerable that system or "target" would be to a real attack” [153]. For this thesis
context, Penetration Testing is an attack to a web application. It is done intentionally
and with the permission of the owner of that application, in order to find
vulnerabilities in it. It helps developers to determine the areas where they are strong
enough for defending outside attacks and also flaws in their codes that they need to
improve in order to make the application secure. It is a part of a security audit. It not
only identifies the vulnerabilities but also suggests remedies.
3.1.2 Objective
The main objective of Penetration Testing is to help making an application
secure by finding vulnerabilities so that the developers can fix them before it is
attacked in real. But it also depends on the goal of the company regarding Penetration
Testing. For example, it can be done to test the organization's security policy
compliance, its employees' security awareness and the organization's ability to
identify and respond to security incidents [154]. It also helps to access the possible
loss or other consequences on resources or data in case of attack. Some general
objectives include to prevent a data breach, to test an application’s security control, to
ensure that the application is secure before making available for a real use and to get a
baseline information about overall security strengths and weaknesses for making
security policies.
3.1.3 Testing Needs and Benefits
Depending on the types of data or resources an application holds, the
vulnerability in the application, and the service interruption associated with it, might
be costlier to the company. The security status of an application will not always
remain the same. An application, which is considered to be secure at a particular point

of time, might turn to vulnerable in near future. It is impossible to always protect all
the data and resources. So, a company continuously needs to identify, monitor, and
prioritize security risks for its application. The following paragraphs describe the
benefits of Penetration Testing [155].
One of the benefit of Penetration Testing is that it helps wisely manage
vulnerabilities. It provides detail information on all feasible threats, so that the
company can group the threats by their possible impact and make a security policy
accordingly.
It also helps minimize the possible loss of service interruption of the
application. Once the application is attacked, it can be costlier in terms of both time
and money to retrieve data and resources again. Penetration Testing lets the
authorities know in advance about the possible attack so that they can be well
prepared to tackle it. In this way the company can minimize the chances of heavy loss
due to a service interruption.
Penetration Testing can help preserve the company reputation and maintain customer
loyalty. Compromised confidential data results losing reputation and customer loyalty.
Penetration Testing lets the authorities know the vulnerabilities beforehand so that
they can take preventive actions to protect confidential data and other resources from
attackers.
3.1.4 Testing Frequency
Penetration Testing should be performed on a regular basis to ensure
consistency, security, and smooth running of the application. It helps find out the new
and emerging security threats that attackers may exploit so that preventive actions can
be taken before attackers do their job. But apart from regular testing, the following
are some specific instances when it is necessary to perform Penetration Testing [155]:
a. Before starting the real use of the application
b. If new applications are added to the system
c. When significant upgrades or modifications are applied to the application
d. After security patches are applied
e. If end user policies are modified

3.1.5 Process of Penetration Testing
The Process or Steps are all the activities that are involved from the beginning to
the end of Penetration Testing. The following are only a brief description of steps
involved in the testing (see figure 3.1). Further information can be acquired from
SANS Institute InfoSec Reading Room [156].
Collect
information
Discover or identify the

entry points to the
network
Start exploitation of
vulnerabilities
Take control of the

application
Evidence
collecting
Reporting
Suggesting remedies
for the vulnerabilities
Figure 3.1 Flowchart of penetration testing

a. Determine the immediate goal of the test, for example to breach a personal
information database
b. Collect information about the way to get to the target, for example to the
database
c. Discover or identify the entry points to the network, for example performing
port scanning
d. Start exploitation of vulnerabilities using different techniques, for example

brute forcing or phishing
e. Take control of the application, for example doing things which are not
allowed to do
f. Evidence collecting, for example evidence collection of things done while
taking control of the app
g. Reporting, it involves writing a report about everything from the beginning to
the end of testing
h. Suggesting remedies for the vulnerabilities found while testing
3.2 OWASP ZAP

3.2.1 Introduction
OWASP Foundation is a non-profit organization. “OWASP is an international
organization and the OWASP Foundation supports OWASP efforts around the world”
[157]. OWASP is working in the field of web application security. ZED Attack Proxy
is an OWASP flagship project, also known as ZAP. It is a tool used to find
vulnerabilities in web applications. OWASP defines ZAP as an easy to use integrated
web application penetration testing tool to find vulnerabilities [158]. It is a free and
open source software designed to use both by beginners and professional penetration
testers. It is ideal for developers and functional testers for automated security test. But
it should be used either by own applications or the ones which have been authorized
to test “(ibid.)”
According to OWASP, there are some key principles behind ZAP. It is a free
and an open source software. It does not have and will never have a commercial or
pro version. It is a Cross Platform software, i.e. it can be used in different Operating
Systems. It is easy to install and use. It requires Java pre-installed to install ZAP.
Nothing else is needed. There are some videos available in the youtube. They help
installing the software and learning how to use it. It has a full set of documentations
to get help with. It can work well with other tools. Tools can be found from add-ons.
It has supports many languages. Involvement is actively encouraged. It can reuse well
regarded components [159]. OWASP ZAPlayout can be seen in figure 3.2.
Figure 3.2. OWASP ZAP layout.
3.2.2 ZAP Features

a. Intercepting Proxy
ZAP is an intercepting proxy. This means that all the requests from the user to
the web application and all the responses from the web application to the user
browser can be seen through ZAP. It operates as a man-in-the-middle between the
browser and the target application. It can intercept or modify any http/s traffic passing
in both directions.
b. Active and Passive Scanners
Active Scanner actively attacks to the target application to find vulnerabilities
while Passive Scanner only scans the responses from the application to the browser.
So active scanning is riskier as it can make damage to the application. Therefore, it
cannot be used without the permission of the owner of the application. And before
starting Active Scanner for scanning the application, a backup of all data is strongly
recommended. Passive Scanner is safe to use as it does not modify the responses
received from the application.
b. Traditional and Ajax Spiders
The Spider is used to search for new pages (URLs), and links of other
websites on a particular website. First, when the application is browsed manually,
ZAP lists some URLs found on the manually visited pages. When Spider starts, it
first looks those listed URLs to find new links or URLs. If found any, it adds the
URLs on the list and again visits those newly found URLs. And this process will
continue until it finds new URLs or links. Both Traditional and Ajax Spiders are for
the same purpose. The first one is used for finding other than Ajax rich resources
while the second one is to find Ajax rich web pages because they are more effective
than Traditional Spiders.
c. WebSockets Support
WebSocket is a protocol that provides a two-way communication (full duplex)
channel through a single TCP socket over the web [160]. ZAP is able to provide
WebSocket support. ZAP can see, intercept, change, and even fuzz all the WebSocket
communications, or it can send new WebSocket messages. Detail information can be
found from github zaproxy article [161].
d. Forced Browsing (using OWASP DirBuster code)
Forced Browsing is a kind of attack where the attacker tries to enumerate or
access the restricted resources which have no reference or any link in the application
but exist and can be accessible [162]. Brute Force techniques are used for a Forced
Browsing attack in which the attackers either guess or use automated tools to find
unlinked URLs within the application [163]. The OWASP Forced Browsing attack is
based on their DirBuster project [164]. It is a multi-threaded Java application which is
designed to brute force the unlinked directories in the application. For further reading,
please refer to OWASP [165].
e. Fuzzing (using fuzzdb and OWASP JBroFuzz)
Fuzzing or Fuzz Testing is a software testing technique to find
implementation bugs and coding errors. In Fuzz Testing, an attempt is made to make
the application (software) crash by delivering a random, invalid or unexpected user
inputs value to the application (software) and then monitoring to see if it crashes. If
the application crashes or fails with the random user input value, then there may be a
security issue. ZAP performs Fuzzing through the JBroFuzz project code which
includes files from the fuzzdb projects [166].
f. Online Add-ons Marketplace (Extensibility)
ZAP is an open source project of OWASP. One of the ZAP principle is
involvement of people as much as possible. It helps ZAP grow in terms of its usage
and also extend the services it provides. To make active participation and contribution
to a further development easier, there is an online marketplace provision for add ons
in ZAP, where one can write and upload (through Google code project), download,
and install add-ons dynamically. Add-ons extend ZAP functionality.
g. Developer Features
As OWASP mentioned [167], there are so many developer features in ZAP. It
has an easy-to-use quick start tab. One just needs to enter the URL and click the
attack button and attack the application. There is a provision of REST API which
allows to interact with ZAP programmatically. It is useful for security regression tests
[168]. It can be accessed directly or via one of the client implementations. It has Java
and Python API Clients support. When using ZAP UI, if one wants to use API, it
should be enabled in the options API screen in the UI. ZAP can also be run in
Headless Mode. If it runs in Headless Mode, API is automatically enabled.
ZAP has an Anti CFRS Token Handling mechanism. ”Anti CSRF tokens are
(pseudo) random parameters used to protect against Cross Site Request Forgery
(CSRF) attacks” [169]. ZAP has provision for different kinds of authentication to use
in the web application. Authentication methods have been defined in the context
according to which authentication is handled. It has an Auto Updating feature for its
add-ons. Add-ons can be updated even if ZAP is running. One does not even need to
restart ZAP. It is always a good idea to check for updates for different add-ons before
testing the application.
The latest version of ZAP (ZAP 2.4.3) has 4 different modes of operation,
namely safe mode, protected mode, standard mode and attack mode. Safe mode can
be used with any web application as no harmful actions are allowed in safe mode. But
it is not useful for security testers. It is only useful for passive scanning. In protected
mode, only the URLs in the scope can be attacked. It is safe to use with URLs outside
of scope. Anything can be done in standard mode. So one should be careful while
using ZAP in standard mode. In attack mode, if new nodes are found in scope, ZAP
starts active scanning of the nodes immediately
3.2.3 Finding Issues Of The Website
ZAP creates a proxy server and makes your website traffic pass through that
server (see figure 3.3). It comprises of auto scanners that help you intercept the
vulnerabilities in your website.
Figure 3.3 Diagram of how ZAP works

To implement the penetration testing method using ZAP OWASP there are several
things to do. The steps that the authors will be explained bellow.
a. Setting up your ZAP Environment
In order to install ZAP you need to install JAVA 8+ to our Windows or Linux
system. If we use the Mac OS you don’t need JAVA as it’s already installed. Go to
https://java.com/en/download/ and install it. Download ZAP installer according to
your OS from official link (https://github.com/zaproxy/zaproxy/wiki/Downloads).
b. Determine the target
After Zap environment has been prepared, the target website is determined. The
website that is the target is ten Indonesian e-commerce websites, including:
https://www.lazada.co.id
https://www.mataharimall.com
https://www.blibli.com
https://www.zalora.co.id
https://www.jd.co.id
https://www.tokopedia.com
https://www.elevenia.com
https://www.shopee.com
https://www .bukalapak.com
https://www .qoo10.com
c. Starting OWASP ZAP
After we install the application to the default directory, you can start clicking
the OWASP ZAP icon on your Windows desktop. The default install directory;
C:\Program Files\OWASP\Zed Attack Proxy\ZAP.exe
As it is a Java application, alternatively you can run the following command
to start it. What it gives you extra configuration like scheduling your penetration test
or starting with a particular URL. This is how we do it;java -Xmx512m -jar zap-
2.7.0.jar.
Figure 3.4 Default startup dialog of OWASP ZAP

When we run the app, it asks you whether you want to save the session or not.
If we want to reach our website configuration or test results later, we should save the
session for later. The startup dialog can be seen in figure 3.4.
d. Setting SSL Certificate to Browser
Since all requests and responses are proxied by ZAP, the certificate verification
will fail for sites using SSL (HTTPS) and the connection will be terminated. To
prevent this from happening, ZAP generates an SSL certificate for each host, signed
by its own Certificate Authority (CA) certificate. This CA certificate (see figure 3.5)
is generated the first time ZAP is run, and is stored locally. To use the ZAP Proxy
with these websites, you will need to install ZAP’s CA certificate as a trusted root in
your browser. Go to Tools>Options>Dynamic SSL Certificate. Click Generate and
then click Save. Save the certificate in the desired location.Open your browser and
install the Certificate to your browser (Firefox, Chrome, IE) accordingly
Figure 3.5 SSL certificate in OWASP ZAP

e. Setting ZAP Configuration
There are also various spider and active scanner options which you should
double check – the defaults are good for most cases but may have been changed or
may not be suitable for your environment. These are accessible via the top level
“Tools/Options…” menu or from the relevant toolbar:
Be especially aware of the active scanner “Delay when scanning in
milliseconds” – this should usually be set to zero, particularly if the scan is taking too
long.The “Attack Strength” is also important – this is roughly the number of requests
you can expect each rule to make on every parameter on every page. All rules are
unique and some only ever use a very small number of requests, but in general
assume:
Low – to be up to 6 requests
Medium – to be up to 12 requests
High- to be up to 24 requests
Insane- to be over 24 requests, potentially hundreds
The default is Medium – you should not go higher than this if you are having
performance problems. In a future release we are planning on allowing the Attack
Strength to be configured on a per rule basis.
Also be aware that while the the “Handle anti CSRF tokens” option is very
useful if your application uses anti CSRF tokens, it can significantly impact
performance as it forces the scanner to run single threaded.
During our penetration tests, we use the regular spidering tool first to identify
URLs of the application being tested. Running the AJAX spider after the regular
spidering has helped us get a better map of all application resources in scope. ZAP
gives the option to automatically open the application via browser using Selenium
and explore the application through an event-driven dynamic crawling engine. This
eliminates the need for a manual walkthrough of the application to capture AJAX
requests. The parameter of spider that can be set in ZAP can be seen in picture 3.6.
Figure 3.6 Setting of spider parameter in ZAP OWASP

AJAX spidering is performed during a penetration test to discover requests on
an AJAX-rich web application, which cannot be discovered with the regular
Spidering tool. The AJAX spidering window can be accessed via ZAP -> Tools -
>AJAX Spider (on ZAP’s menu bar). The tool has configuration parameters such as
maximum depth to crawl, maximum crawl states, maximum duration and other
options to prevent the possibility of infinite crawling. The parameter of AJAX spider
that can be set in ZAP can be seen in picture 3.7.
Figure 3.7 Setting of AJAX Spider in OWASP ZAP

Active scanning attempts to find potential vulnerabilities by using known attacks
against the selected targets. Active scanning is configured using the Options Active
Scan screen. The rules that run are configured via Scan Policies (see picture 3.8).
Figure 3.8 Setting of Active scan in OWASP ZAP

ZAP by default passively scans all HTTP messages (requests and responses) sent
to the web application being tested. Passive scanning does not change the requests nor
the responses in any way and is therefore safe to use. Scanning is performed in a
background thread to ensure that it does not slow down the exploration of an
application. The (main) behaviour of the passive scanner can be configured using the
Options Passive Scanner Screen (see figure 3.9).
Figure 3.9 Setting of passive scan in OWASP ZAP

f. Spidering
In order to extract the tree of your website, we need to crawl the website in
JxBrowser. we should hit all the features, go thru all possible actions. The more you
explore your website, the more you get efficient results. ZAP include feature to
Spidering a website (see figure 3.10), it means crawling all the links and getting
structure of the website. If you access all aspects of the site while navigating your
website then strictly seeking you don't need to use the spider — that's there to pick on
things you missed or when proxying isn't an option.
Figure 3.10 Attack the website using spider feature

g. Attacking
Attacking is the main goal. We’ll start Active Scan. An active scan can insert
harmful data into your database. So run it only on the allowed websites. When we
click Start Scan, it’ll start a progress which can be time consuming depending on the
URL count (see figure 3.11).
Figure 3.11 Active scan in OWASP ZAP

h. Fuzzer
Fuzzing is sending unexpected or random data to the inputs of a website.
Normally we validate inputs on client-side that’s why we ignore some problems in
the back-end. When we fuzz key inputs (like a main search input of the website or the
login page inputs) we can see coding errors and security loopholes. This is an
optional security step.
To run Fuzzer, locate to the request you want to fuzz from left the pane (see
figure 3.12). Right click and choose Attack, then click Fuzz. In the Fuzzer window,
we’ll see the request post data. Click on the post data and highlight the text you want
to attack. On the right pane, click Add button. We’ll see Payloads window. Click Add
button again. In the Add Payload window, choose File Fuzzers from type combo box.
Select the file you want to use. This file is a database that will be used to brute force
to the input. When it finishes, the results will be listed on the bottom tab called Fuzzer.
The ones tagged with Fuzzed are suspicious and needs to be taken care
Figure 3.12 Fuzz feature in OWASP ZAP

i. Checking the result
After Scanning completes, ZAP shows the result summary in the form of
different categories of alerts. Basically, alerts are potential vulnerabilities and have
been categorized as high priority, medium priority, low priority, and informational
priority, which indicates the degree of associated risks. A high priority alert means
that an issue under this category is more serious than other priority alerts. Likewise,
medium priority alerts, low priority alerts, and informational priority alerts are
consecutively less and less serious. Alerts categories are indicated by different colour
flags. The complete result of this test will be describe in the next chapter.
CHAPTER 4
RESULT
4.1 Testing Result
Based on the results of the tests conducted, it was found a potential
vulnerability on ten ecommerce websites in Indonesia. The full description is seen in
the following discussion.
1. Lazada.co.id
On lazada.com there are eight types of potential vulnerability. Table 4.1
shows the result of the test. One of them is in the medium risk category, while seven
others are in the low risk category.
Table 4.1 Number of vulnerability alert and risk level found in Lazada.co.id
Risk Level Number Of Alert
High 0
Medium 1
Low 7
On this website Cross-Domain JavaScript Source File Inclusion is the most

common vulnerability found on this site. On the other hand Content-Type Header
Missing is the least found vulnerability. Details of the eight potential vulnerabilities
found can be seen in the table 4.2.
Table 4.2. Number of each vulnerability types of lazada.co.id
Potential
Risk
No. Alert Vulnerability
Level
Found
1 X-Frame-Options Header Not Set Medium 4219
Incomplete or No Cache-control and Pragma
2 HTTP Header Set Low 4219
Cross-Domain JavaScript Source File
3 Inclusion Low 12517
Potential
Risk
Level
Found
4 Web Browser XSS Protection Not Enabled Low 4309
5 X-Content-Type-Options Header Missing Low 4221
6 Cookie Without Secure Flag Low 709
7 Content-Type Header Missing Low 2
8 Cookie No HttpOnly Flag Low 3
2. Mataharimall.com
On mataharimall.com there are seven types of potential vulnerability. Table
4.3 shows the result of the test. One of them is in the medium risk category, while six
Table 4.3 Number of vulnerability alert and risk level found in mataharimall.com
High 0
Medium 1
Low 6

common vulnerability found on this site. On the other hand Cookie No HttpOnly Flag
is the least found vulnerability. Details of the six potential vulnerabilities found can
be seen in the table 4.4.
Table 4.4 Number of each vulnerability types of mataharimall.com
Potential
Risk
Level
Found
Potential
Risk
Level
Found
3 Inclusion Low 108
3. Blibli.com
On blibli.com there are nine types of potential vulnerability. Table 4.5 shows
the result of the test. Two of them are in the medium risk category, while seven others
are in the low risk category.
Table 4.5 Number of vulnerability alert and risk level found in blibli.com
High 0
Medium 2
Low 7
On this website Incomplete or No Cache-control and Pragma

HTTP Header Set is the most common vulnerability found on this site. On the other
hand Content-Type Header Missing is the least found vulnerability. Details of nine
potential vulnerabilities found can be seen in the table 4.6.
Table 4.6 Number of each vulnerability types of blibli.com
Potential
Risk
Level
Found
1 Session ID in URL Rewrite Medium 1
Potential
Risk
Level
Found
4. Zalora.co.id
On blibli.com there are ten types of potential vulnerability. Table 4.7 shows
the result of the test.Two of them are in the medium risk category, while eight others
are in the low risk category.
Table 4.7 Number of vulnerability alert and risk level found in zalora.com
High 0
Medium 2
Low 8
On this website Cookie Without Secure Flag is the most common

vulnerability found on this site. On the other hand Content-Type Header Missing is
the least found vulnerability. Details of ten potential vulnerabilities found can be seen
in the table 4.8.
Table 4.8. Number of each vulnerability types of zalora.com

Potential
Risk
Level
Found
1 Application Error Disclosure Medium 3
10 Private IP Disclosure Low 2
5. Jd.id
On jd.id there are eight types of potential vulnerability. Table 4.9 shows the
result of the test.One of them is in the medium risk category, while seven others are in
the low risk category.
Table 4.9 Number of vulnerability alert and risk level found in jd.id
High 0
Medium 1
Low 7

common vulnerability found on this site. On the other hand Cookie No HttpOnly
Flag is the least found vulnerability. Details of eight potential vulnerabilities found
can be seen in the table 4.10.
Table 4.10 Number of each vulnerability types of jd.id
Potential
Risk
Level
Found
6. Tokopedia.com
On tokopedia.com there are eight types of potential vulnerability. Table 5.11
shows the result of the test.Two of them are in the medium risk category, while six
Table 4.11 Number of vulnerability alert and risk level found in mataharimall.com
High 0
Medium 2
Low 6

common vulnerability found on this site. On the other hand Cookie No HttpOnly
Flag is the least found vulnerability. Details of eight potential vulnerabilities found
Table 4.12 Number of each vulnerability types of tokopedia.com
Risk Potential
No. Alert
Level Vulnerability Found
1 Multiple X-Frame-Option Header Entries Medium 126

7. Elevenia.com
On elevania.com there are eight types of potential vulnerability. Table 4.13
Table 4.13 Number of vulnerability alert and risk level found in elevania.com
High 0
Medium 2
Low 6
On this website X-Content-Type-Options Header Missing is the most

common vulnerability found on this site. On the other hand Secure Page Include
Mixed Content is the least found vulnerability. Details of eight potential

vulnerabilities found can be seen in the table 4.14.
Table 4.14 Number of each vulnerability types of elevania.com
Risk Potential
No. Alert
Level Vulnerability Found

7 Secure Page Include Mixed Content Low 1
8. Shopee.com
On shopee.com there are ten types of potential vulnerability. Table 4.15 shows
the result of the test.Three of them are in the medium risk category, while seven
Table 4.15 Number of vulnerability alert and risk level found in shopee.com
High 0
Medium 3
Low 7
On this website X-Content-Type-Options Header Missing is the most

common vulnerability found on this site. On the other hand X-Frame-Options Setting
Malform is the least found vulnerability. Details of ten potential vulnerabilities found
Table 4.16 Number of each vulnerability types of shopee.com
Potential
Risk
Level
Found
2 X-Frame-Options Setting Malform Medium 1
5 Inclusion Low 512
9. Bukalapak.com
On bukalapak.com there are eight types of potential vulnerability. Table 4.17
Table 4.17 Number of vulnerability alert and risk level found in bukalapak.com
High 0
Medium 2
Low 6
common vulnerability found on this site. On the other hand X-Frame-Options Header
Not Set is the least found vulnerability. Details of ten potential vulnerabilities found
Table 4.18 Number of each vulnerability types of bukalapak.com
Potential
Risk
Level
Found
10. Qoo10.com
On qoo10.com there are eight types of potential vulnerability. Table 4.19
shows the result of the test.One of them is in the medium risk category, while seven
Table 4.19 Number of vulnerability alert and risk level found in qoo10.com
High 0
Medium 1
Low 7

common vulnerability found on this site. On the other hand Web Browser XSS
Protection Not Enabled is the least found vulnerability. Details of eight potential
vulnerabilities found can be seen in the table 4.20.
Table 4.20 Number of each vulnerability types of qoo10.com
Potential
Risk
Level
Found
8 Private IP Disclosure Low 494
4.2 Vulnerability Analysis
4.2.1 Vulnerability Mapping and Comparison
Based on the test result, fifteen types of security holes were obtained. After all
the data is combined, it appears that Cross-Domain JavaScript Source File Inclusion
is the most common security gap found in the ten websites. Whereas Session ID in
URL Rewrite, Secure Page Include Mixed Content, X-Frame-Options Settings
Malforms are the least found security holes. Details of the security vulnerability type
ratings found in this test can be seen in the table 4.21.
Table 4.21 Rank of vulnerabilities found in all website
No Alert Total Percent Rank
1 X-Frame-Options Header Not Set 9557 8.0850 5
2 HTTP Header Set 11936 10.0976 3
No Alert Total Percent Rank

3 Inclusion 56147 47.4993 1
4 Web Browser XSS Protection Not Enabled 9986 8.4480 4
5 X-Content-Type-Options Header Missing 12831 10.8548 2
6 Cookie Without Secure Flag 8713 7.3710 6
7 Content-Type Header Missing 1452 1.2284 8
8 Cookie No HttpOnly Flag 6940 5.8711 7
9 Session ID in URL Rewrite 1 0.0008 13
10 Application Error Disclosure 19 0.0161 11
11 Private IP Disclosure 2 0.0017 12
12 Multiple X-Frame-Option Header Entries 126 0.1066 10
13 Secure Page Include Mixed Content 1 0.0008 13
14 X-Frame-Options Setting Malform 1 0.0008 13
15 Private IP Disclosure 494 0.4179 9
The percentage of the data above can be seen in the diagram below (figure 4.1).
Vulnerability Threats Rank Based On

Testing Result
0%
X-Frame-Options Header Not Set
0%
0% Incomplete or No Cache-control and Pragma
HTTP Header Set
0% 0%
0% 0% Inclusion
1%
Web Browser XSS Protection Not Enabled
6% 8%
X-Content-Type-Options Header Missing
7%
10%
Cookie Without Secure Flag
Content-Type Header Missing

11%
Cookie No HttpOnly Flag
Session ID in URL Rewrite

9%
Application Error Disclosure
Private IP Disclosure
48%
Multiple X-Frame-Option Header Entries
Secure Page Include Mixed Content
X-Frame-Options Setting Malform
Private IP Disclosure
Figur 4.1 Chart of vulnerability rank based on testing result.

When we view from the types of vulnerability that are owned, the website
Mataharimall.com becomes a website with the least type of vulnerability.
Mataharimall.com has seven types of potential vulnerability. Whereas zalora.com and
shopee.com are the websites with the most types of potential vulnerability. The full
data can be seen in the table 4.22.
Table 4.22 Number of vulnerability type found on each website

Potential Vulnerability
No Website
Type Found
1 lazada.co.id 8
2 Mataharimall.com 7
3 Blibli.com 9
4 Zalora.co.id 10
5 Jd.co.ic 8
6 Tokopedia.com 8
7 Elevenia.com 8
8 Shopee.com 10
9 Bukalapak.com 8
10 Qoo10.com 8
When we look from the number of potential vulnerabilities of each type of

security hole, lazada.com site is a site that has the greatest number of potential
vulnerability. Whereas Mataharimall.com is the site with the fewest potential
vulnerability. The data can be seen in the table 4.23 and figure 4.2.
Table 4.23 Number of each vulnerability type found on each website
Total Potential
No Website Rank
Vulnerability Found
1 lazada.co.id 30199 1
2 Mataharimall.com 755 10
3 Blibli.com 10882 5
4 Zalora.co.id 4274 7
5 Jd.co.ic 20248 3
6 Tokopedia.com 2441 9
7 Elevenia.com 9009 6
8 Shopee.com 3876 8
9 Bukalapak.com 25529 2
10 Qoo10.com 10993 4
35000
30000
25000
20000
15000
10000
5000
0
1 2 3 4 5 6 7 8 9 10
Figure 4.2 Chart of total number vulnerability found on each website
4.2.2 Vulnerability Description and Recommendation Solution

Berdasarkan standar OWASP celah kemanan yang telah ditemukan memiliki solusi
yang direkomendasikan. Penjelasan mengenai masing-masing celah keamanan dan
recomendasi solusinya adalah sebagai berikut.
1. X-Frame-Options Header Not Set
Description:
X-Frame-Options header is not included in the HTTP response to protect
against 'ClickJacking' attacks.
Recommendation solution:
Most modern Web browsers support the X-Frame-Options HTTP header.
Ensure it's set on all web pages returned by your site (if you expect the page to
be framed only by pages on your server (e.g. it's part of a FRAMESET) then
you'll want to use SAMEORIGIN, otherwise if you never expect the page to
be framed, you should use DENY. ALLOW-FROM allows specific websites
to frame the web page in supported web browsers).
2. Incomplete or No Cache – control and Pragma HTTP Header Set
Description:
The cache-control and pragma HTTP header have not been set properly or are
missing allowing the browser and proxies to cache content.
Whenever possible ensure the cache-control HTTP header is set with no-cache,
no-store, must-revalidate; and that the pragma HTTP header is set with no-
cache.
3. Cross-Domain JavaScript Source File Inclusion
Description:
The page includes one or more script files from a third-party domain.
Ensure JavaScript source files are loaded from only trusted sources, and the
sources can't be controlled by end users of the application.
4. Web Browser XSS Protection Not Enabled
Description:
Web Browser XSS Protection is not enabled, or is disabled by the
configuration of the 'X-XSS-Protection' HTTP response header on the web
server
Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-
Protection HTTP response header to '1'.
5. X-Content-Type-Options Header Missing
Description:
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to
'nosniff'. This allows older versions of Internet Explorer and Chrome to
perform MIME-sniffing on the response body, potentially causing the
response body to be interpreted and displayed as a content type other than the
declared content type. Current (early 2014) and legacy versions of Firefox will
use the declared content type (if one is set), rather than performing MIME-
sniffing.Recommendation solution:
Ensure that the application/web server sets the Content-Type header

appropriately, and that it sets the X-Content-Type-Options header to 'nosniff'
for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern
web browser that does not perform MIME-sniffing at all, or that can be
directed by the web application/web server to not perform MIME-sniffing.
6. Cookie Without Secure Flag
Description:
A cookie has been set without the secure flag, which means that the cookie
can be accessed via unencrypted connections.
Whenever a cookie contains sensitive information or is a session token, then it
should always be passed using an encrypted channel. Ensure that the secure
flag is set for cookies containing such sensitive information.
7. Content-Type Header Missing
Description:
The Content-Type header was either missing or empty.
Ensure each page is setting the specific and appropriate content-type value for
the content being delivered.
8. Cookie No HttpOnly Flag
Description:
A cookie has been set without the HttpOnly flag, which means that the cookie
can be accessed by JavaScript. If a malicious script can be run on this page
then the cookie will be accessible and can be transmitted to another site. If this
is a session cookie then session hijacking may be possible.
Ensure that the HttpOnly flag is set for all cookies.
9. Session ID in URL Rewrite
Description:
URL rewrite is used to track user session ID. The session ID may be disclosed
via cross-site referer header. In addition, the session ID might be stored in
browser history or server logs.
For secure content, put session ID in a cookie. To be even more secure
consider using a combination of cookie and URL rewrite.
10. Application Error Disclosure
Description:
This page contains an error/warning message that may disclose sensitive
information like the location of the file that produced the unhandled exception.
This information can be used to launch further attacks against the web
application. The alert could be a false positive if the error message is found
inside a documentation page.
Review the source code of this page. Implement custom error pages. Consider
implementing a mechanism to provide a unique error reference/identifier to
the client (browser) while logging the details on the server side and not
exposing them to the user.
11. Private IP Disclosure
Description:
A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2
private hostname (for example, ip-10-0-56-78) has been found in the HTTP
response body. This information might be helpful for further attacks targeting
internal systems.
Remove the private IP address from the HTTP response body. For comments,
use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can
be seen by client browsers.
12. Multiple X-Frame-Option Header Entries
Description:
X-Frame-Options (XFO) headers were found, a response with multiple XFO

header entries may not be predictably treated by all user-agents.
Ensure only a single X-Frame-Options header is present in the response.
13. Secure Page Include Mixed Content
Description:
The page includes mixed content, that is content accessed via HTTP instead of
HTTPS.
A page that is available over SSL/TLS must be comprised completely of
content which is transmitted over SSL/TLS.
The page must not contain any content that is transmitted over unencrypted
HTTP.
This includes content from third party sites.
14. X-Frame-Options Setting Malform
Description:
An X-Frame-Options header was present in the response but the value was not
correctly set.
Ensure a valid setting is used on all web pages returned by your site (if you
expect the page to be framed only by pages on your server (e.g. it's part of a
FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never
expect the page to be framed, you should use DENY. ALLOW-FROM allows
specific websites to frame the web page in supported web browsers).
15. Private IP Disclosure
Description:
A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2
private hostname (for example, ip-10-0-56-78) has been found in the HTTP
response body. This information might be helpful for further attacks targeting
internal systems.
Remove the private IP address from the HTTP response body. For comments,
use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can
be seen by client browsers.
CHAPTER 5
CONCLUSION AND FURTHER WORK
5.1 Conclusion
From this research, the author found that penetration testing is the right
method for finding a website's security vulnerability. The author managed to find
various potential vulnerabilities on the website with this method. This is in line with
some of the research that has been done before. Besides that, OWASP ZAP is an
open source tool that can be used to find security vulnerability. This is also proven by
the complete features provided by OWASP ZAP to find various security holes on the
target website. Although manual checking must be done to improve the accuracy of
the results obtained.
Based on the results of research, ecommerce websites in Indonesia still have
potential security vulnerabilities that can be exploited. This can be seen from the fact
that there are potential low-level and medium risks found of vulnerability in these
websites. Even though there is no high level of vulnerability risk, fixing potential
security problem with medium and low risk levels is still important considering the
ecommerce website has a variety of very important data that must be maintained so
that it is not easily hacked by irresponsible parties.
In this study, researcher found 15 types of potential security vulnerabilities on
the top ten Indonesian e-commerce websites. Based on the test results, fifteen types of
potential security vulnerability were obtained. After all the data is combined, it
appears that Cross-Domain JavaScript Source Files Inclusion is the most common
security gap found in the ten websites. Whereas Session ID in URL Rewrite, Secure
Page Include Mixed Content, X-Frame Settings, Malforms are the least found
security holes.
If we view from the types of vulnerability that are owned, the website
Mataharimall.com becomes a website with the least type of vulnerability.
Mataharimall.com has seven types of potential vulnerability. Whereas zalora.com and
shopee.com are websites with the most types of potential vulnerabilities. If we look
from the number of potential vulnerabilities of each type of security hole, lazada.com
is the website that has the greatest number of potential vulnerability. Whereas
Mataharimall.com is the site with the fewest potential vulnerability
5.2 Further Work
Although the author managed to find potential security vulnerability on
ecommerce websites in Indonesia, in the future there are some improvements that
still need to be done to get better testing results. Those improvements for further
research include:
1. Check the false-positives for each security problem found.
2. Using additional tolls to get a comparison of the results of searching for
website vulnerability.
3. Perform manual checking for each security problem found.
4. Perform testing to the access core (server) so that it gets more optimal
testing results.
REFERENCES
[1] Digitalreport wearesocial. [01.10.2018] https://digitalreport.wearesocial.com.

[2]Internetworldstats.2018.World Internet Usage and Population Statistics.[2018-10-1].
https://www.internetworldstats.com/stats.htm
[3]Wearesocial. 2018. Global Digital Report.[2018-10-1]. https://wearesocial.com/blog/2018/01/
global-digital-report-2018
[4]Mulpuru, S., Vikram, S., Patti, F. E., Andy, H.,Douglas,R.:US Online Retail Forecast, [2018-
10-1]https://www.forrester.com/report/US+Online+Retail+Forecast+2011+To+2016/-/E-
RES60672
[5]Ptsecurity. Web Application Attack Trends 2017. [02.10.2018].https://www.ptsecurity.com
[6]The Open Web Application Security Project (OWASP) Foundation. Top Ten Web Application
Security Risks.(2011-01-18).[2018-10-1].http://www.owasp.orgindex.php/ Category:OWASP_
Top_Ten_Project
[7]Nahari, H. & Krutz, R. L. “Web Commerce Security: Design and Development.” John Wiley
& Sons, 2011.
[8]National Institute of Standards and Technology (NIST). National Vulnerability Database.
[2018-10-1], from: http://nvd.nist.gov/.
[9]OWASP Home Page. Date of [02.10.2018]. https://www.owasp.org/index.php/Main_Page.
[10]IBM Developer Work Library. [2018-10-2] http://www.ibm.com/developerworks/library/se-
owasptop10/
[11]The Open Web Application Security Project(OWASP) Foundation: Top Ten Web
Application SecurityRisks. [2018-10-1].http://www.owasp.org/index.php/Category: OWASP_
Top_ Ten _ P roject
[12]Singh, U. K., Chanchala, J., Neha G.: Information security assessment by quantifying risk
level of network vulnerabilities. International Journal of Computer Applications, vol. 156.2, pp.
37-44, 2016
[13] Shema, M. 2011.Qualys Security Labs. Why You Should Always Use HTTPS
[14]The Three Tenants of Cyber Security. U.S. Air Force Software Protection Initiative. [2018-
10-1].
[15]Oracle. Defending Against SQL Injection Attacks,2009. [2018-10-11].Oracle Learning
Library: http://apex.oracle.com/pls/apex/f?p=44785:1:4073230388602787::NO.
[16]The Web Application Security Consortium (WASC). XML Injection, 2010. [2018-11-
10].Project: WASC Threat Classification: http://projects.webappsec.org/w/page/
13247004/XML%20Injection
[17]The Web Application Security Consortium (WASC). OS Commanding, 2010. [2018-10-
2].Project: WASC Threat Classification: http://projects.webappsec.org/w/page/
13246950/OS%20Commanding
[18]The Web Application Security Consortium (WASC).SSI Injection, 2010.[2018-11-10].Project:
WASC Threat Classification: http://projects.webappsec.org/w/page /13246964/SSI%
20Injection
[19]Oracle Corporation. [2018-10-2].http://www.java.com/en/.
[20]Microsoft.Active Server Pages, web application framework.[2018-10-2].ASP.NET:
http://www.asp.net.
[21]PHP. Hypertext Preprocessor, server-side scripting language, 2012. [2018-10-2].PHP:
http://www.php.net/..
[22]Kirk, J. Anonymous breaches San Francisco's public transport site, 2011. [2018-11-
2].Network World: http://www.networkworld.com/news/2011/081511-anonymous-breaches-
sanfranciscos-public.html
[23]The Web Application Security Consortium (WASC). Cross-site Scripting, 2010. [2018-10-
14]. http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting
[24]The Web Application Security Consortium (WASC). DOM Based Cross Site Scripting or
XSS of the Third Kind, 2005.[2018-11-10]. http://www.webappsec.org/projects/articles/
071105.shtml
[25]Public-Key Cryptography Standards (PKCS). PKCS#11: Cryptographic Token Interface
Standard, 2011. “PKCS #15: Cryptographic Token Information Format Standard”, 2011.
[26]Michigan State University. “Biometrics: Overview”, 2007. [2018-11-10].
http://www.biometrics.cse.msu.edu
[27]thc-hydra. THC Hydra 7.1, 2011. [10.11.2018]. http://www.thc.org/thchydra/
[28]CodeDX. 2016. Insecure Direct Object References. [2018-11-10].
http://codedx.com/insecure-direct-object-references/
[29]G. Lawton “Web 2.0 Creates Security Challenges” IEEE Computer Society , Vol.40 (10) pp.
13 – 16, 2007.
[30]A. Barth, C. Jackson, J. C. Mitchell Robust defenses for cross-site request forgery,
Proceedings of the 15th ACM conference on Computer and communications security (CCS
'08), 2008.
[31]Payment Card Industry Security Standards Council (PCI). “Data Security Standards
Overview”. [10.11.2018]. https://www.pcisecuritystandards.org/security_standards/
[32]Payment Card Industry Security Standards Council (PCI). “Requirements and Security
Assessment Procedures. Version 2.0”, 2010.
[33]Oechslin, P. “Making a Faster Crytanalytical Time-Memory Trade-Off”, 2003. Advances in
Cryptology - CRYPTO 2003, 23rd Annual International Cryptology Conference. Santa
Barbara: Springer.
[34]Brodkin, J. (2007). Network World. “The top 10 reasons Web sites get hacked”, 2007.
[35]McAfee Corporation. Foundstone Hacme Series. [2018-11-10]. http://www.mcafee.com/us/
downloads/free-tools/index.aspx
[36]NT OBJECTives. NTOSpider.[10.11.2018].http://www.ntobjectives.com/security-software/
ntospider-application-securityscanner/
[37]Bau, J., Bursztein, E., Gupta, D., & Mitchell, J. “State of the Art: Automated Black-Box Web
Application Vulnerability Testing”, 2010. IEEE Symposium on Security and Privacy.
Washington, DC: IEEE Computer Society.
[38]Apache Software Foundation. Tomcat Server. [2018-11-10]. http://tomcat.apache.org/
[39]Acunetix Web Vulnerability Scanner, 2012. [2018-11-10].http://www.acunetix.com/
vulnerabilityscanner/ .
[40] D. Shelly. Using a Web Server Test Bed to Analyze the Limitations of Web Application
Vulnerability Scanners. Virginia Polytechnic Institute and State University. 2010.
[41]D. Byrne and E. Duprey. Grendel-Scan. [2018-11-10].http://www.grendel-scan.com/.
[42]N. Surribas. Wapiti. [2018-11-10].http://www.ict-romulus.eu/web/wapiti/.
[43]A. Riancho. W3AF-Web Application Attack and Audit Framework. [2018-11-10].http:
//w3af.sourceforge.net/.
[44] G. F. Lyon. NMAP.ORG. [10.11.2018].http://nmap.org/.
[45]Cenzic, Inc. Hailstorm Core and Hailstorm Starter. [2018-11-10].http://www.cenzic.com,
2010.
[46]N-Stalker. N-Stalker The Web Security Specialists. [2018-11-10].http://nstalker.com, 2010.
[47]Mavituna Security Ltd. Netsparker Web Application Security Scanner.
[15.11.2018].http://www.mavitunasecurity.com, 2010.
[48] PortSwigger. Burp Scanner. [2018-11-15].http://portswigger.net/.
[49]IBM. Rational AppScan Standard Edition. [2018-11-15].http://www-01.ibm.com, 2010.
[50]BuyServers Ltd. Falcove Web Vulnerability Scanner. [2018-11-
15].http://www.buyservers.net, 2008.
[51]Carahsoft Technology Corp. HP WebInspect software. [2018-11-15].
http://www.carahsoft.com/hp/products/webinspect, 2009.
[52] NT OBJECTives. NTOSpider. [2018-11-15].http://www.ntobjectives.com, 2010.

[53]Kevin M. Henry. 2012. Penetration Testing: Protecting Networks and Systems. IT
Governance Ltd. ISBN 978-1-849-28371-7.
[54]Bede Moore, “Karina Akib, Susie Sugden, E-commerce in Indonesia: A guide for Australian
business.” Amplitude (2018).
[55]Top performing online consumer goods retail in Indonesia. Ilmuonedata.
[15.11.2018].http://www.ilmuonedata.com/
[56]Lazada Funding. [2018-11-15].https://www.techinasia.com/lazada-250m-funding
[57]Akuisisi Lazada Oleh Alibaba. [2018-11-15].https://tekno.kompas.com/read/2016/04
/12/14233257/Raksasa.E-commerce.China.Alibaba.Akuisisi.Lazada
[58]Deny Adi Prasetyo (2015-2-25). [2018-11-15]."MatahariMall.com, e-Commerce Ambisius
dari Grup Lippo". Info Komputer.
[59] Mochamad Wahyu Hidayat (2015-9-9). "Resmi Meluncur, Mataharimall.com Tebar Diskon
Hingga 99%".[2018-11-15].Liputan6.com.
[60]Indira Rezkisari (2015-9-13). "Matahari Mall launches in Indonesia, with $500M funding
from Lippo Group, Aims to be "Alibaba of Indonesia"".[15.11.2018].Venture Capital Post.
[61]Oik Yusuf (2015-2-25). "Beli di MatahariMall.com, Barang Bisa Ambil Sendiri di Toko".
[2018-11-15].Kompas.com.
[62] "blibli.com Site Info".[2018-11-15]. Alexa Internet, Inc.
[63]Konsep Baru Belanja Online. [2018-11-15].http://www.eksekutif.co.id/gaya-hidup
/entertaiment/594-bliblicom-konsep-baru-belanja-online.html.
[64] Mengenal Zalora. [2018-11-15].http://www.radarsulteng.co.id/index.php/berita/detail/Rubrik
/42/1327
[65]"Dukungan J.P. Morgan untuk Zalora Indonesia".(29.9.2012). [2018-11-15].
famale.kompas.com.Kompas Gramedia Digital Group..
[66] Home page Zalora. [2018-11-18].www.zalora.com.
[67] Rocket internet project. [2018-11-18].www.rocket-internet.de.
[68] Gloria Natalia Dolorosa (26.3.2013). ZALORA INDONESIA: fokus garap produk fashion.
[2018-11-18].industri.bisnis.com. Bisnis Indonesia Group.
[69]Nur Intan Md Dawot, Jenny Landan Song, Hasnatul Balqies Hashim, Ab Razak Che Hussin.
Moving from B2C to Social Commerce: Case Study Zalora.com
[70]rival terbesar Alibaba, sang pemimpin pasar China. Venture Beat. 16.11.2015.
[71] Strategi JD Indonesia[18.11.2018].https://id.techinasia.com/strategi-jd-id-indonesia.
[72] JD.com – Jingdong Mall. BIIA. [2018-11-18].
[73] jd [2018-11-18].Jd.com.
[74] JD.id resmi beroperasi di Indonesia.[2018-11-18].JD.id
[75] Domain .id Lebih Cepat dan Aman, Ini Alasannya. [2018-11-18].Kompas Tekno. 14.2.2014.
[76] Press Release.(2015-9-06). [2018-11-18].https://id.techinasia.com/
[77]Anisa Menur A. Maulani (August 17, 2017). Tokopedia confirms US$1.1B investment led by
Alibaba. e27.co. [2018-11-18].
[78] Tokopedia.com Site Info. Alexa Internet. [2018-11-18].Amazon.com.
[79] Lee, Yoolim (11.12.2018).SoftBank Vision Fund, Alibaba Lead $1.1 Billion Tokopedia
Round. [2018-11-18].www.bloomberg.com.
[80] About Tokopedia. [18.11.2018].www.tokopedia.com.
[81] Wee, Willis (2016-04-08). "Indonesian marketplace Tokopedia raises $147m".[2018-11-18].
TechInAsia.com
[82] Russell, Jon.Alibaba leads $1.1B investment in Indonesia-based e-commerce firm Tokopedia.
TechCrunch. [2018-11-18].TechCrunch.com
[83] Tokopedia Secures $1.1b From Alibaba, SoftBank. [2018-11-18].Jakarta Globe.com
[84]Tokopedia [2018-11-18]https://www.techinasia.com/tokopedia-raises-11b-softbank-alibaba.
[85] Term Sheet: A Year of Mega-Deals, Fortune[.10.12.2018]. https://www.techinasia.com/

tokopedia-raises-11b-softbank-alibaba.
[86] Elevenia.co.id Site Info.[10.12.2018].Alexa Internet, Inc.
[87]Elevenia berpartisipasi di Dhawafest 2016.Indotelko".[10.12.2018].www.indotelko.com.
[88]Brand amasador elevania. [10.12.2018].http://www.tribunnews.com/techno/2016/02/10/raisa-
brand-ambassador-baru-elevenia.
[89] Meisia Chandra.What Indonesia’s new e-marketplace Elevenia has in store?,(26.4.2014)
[10.12.2018]. e27.com.
[90]Sylviana Hamdani.Elevenia Brings Open Marketplace to Your Handheld.(2014-
04) .[10.12.2018].Jakarta Globe.
[91]Brand amasador elevania. [10.12.2018].http://www.tribunnews.com/techno/2016/02/10/raisa-
brand-ambassador-baru-elevenia.
[92] Doddy Saputra.Branding, Elevenia Pakai Angka 11 untuk Elevenia Day,[10.12.2018].
Maketing.co.id
[93]Elevania and tiket.com collaborate.[10.12.2018].https://dailysocial.id/post/elevenia-and-tiket-
com-collaborate-to-present-air-ticket/.
[94]Elevania gelar grfand launching.[10.12.2018].http://www.antaranews.com/
berita/554248/elevenia-gelar-grand-launching-mokado.
[95]Garena Rebrands as Sea After Raising $550 Million in New Funding. (8.5.2017).
[10.12.2018].https://www.bloomberg.com/news/articles/2017-05-08/garena-rebrands-as-sea-
after-raising-550-million-in-new-funding.
[96]“Garena’s.Shopee could be on its way to beating Carousell in Asia”. (24.11.2015).
[10.12.2018].https://www.techinasia.com/shopee-p2p-marketplace-southeast-asia.
[97]Shopee: Localizing Ecommerce in Southeast Asia and Taiwan. [10.12.2018]
https://econsultancy.com/reports/shopee-localizing-ecommerce-in-southeast-asia-and-taiwan/
[98]5 disruptive ecommerce startups we saw in 2015. [10.12.2018].
https://www.techinasia.com/5-disruptive-ecommerce-startups-2015
[99]Garena And Its Quest To Take Down Carousell With Newly Launched Shopee App.
(3.8.2015).[10.12.2018].https://vulcanpost.com/328891/garena-joins-long-list-companies-
trying-take-carousell-newly-launched-shopee-app/
[100]Safe, easy shopping with Shopee. (9.8. 2015).[10.12.2018].
https://www.straitstimes.com/tech/games-apps/safe-easy-shopping-with-shopee.
[101]How Shopee plans to reign supreme in Southeast Asia’s fashion ecommerce scene.
(06.11.2017). [10.12.2018]. https://www.techinasia.com/shopees-plan-win-fashion-
ecommerce-southeast-asia.
[102]Garena’s Shopee could be on its way to beating Carousell in Asia. (2015-11-24).
[10.12.2018]. https://www.techinasia.com/shopee-p2p-marketplace-southeast-asia.
[103]5 disruptive ecommerce startups we saw in 2015.(2015-12-11). [10.12.2018].
https://www.techinasia.com/5-disruptive-ecommerce-startups-2015.
[104]Lazada slams Sea’s claim that Shopee is the top regional ecommerce player. (2017-09-27).
[10.12.2018]. https://www.techinasia.com/lazada-vs-sea-whos-top-ecommerce-player-in-
southeast-asia.
[105]Sea Limited Form F-1. U.S. Securities and Exchange Commission.(2017-10-18).
[10.12.2018]. https://www.sec.gov.
[106]CEO Chris Feng On Shopee's Rise In Southeast Asia, & Avoiding Carouhell. (2015-12-16).
[10.12.2018]. https://vulcanpost.com/486471/shopee-garena-marketplace-asia-carouhell/.
[107]Shopee partners up with Pos Malaysia. (2018-01-06). [10.12.2018] https://www.marketing-
interactive.com/.
[108]Bizzy acquires Alpha; Shopee partners Pos Indonesia. (2017-5-10).[10.12.2018].
https://www.dealstreetasia.com/stories/indonesia-db-b2b-e-commerce-bizzy-acquires-alpha-
shopee-partners-pos-indonesia-for-delivery-72245/.
[109]Shopee records 80 mil downloads over 2 years. (2017-11-22).[10.12.2018].

https://www.nst.com.my/business/2017/11/306106/shopee-records-80-mil-downloads-over-2-
years
[110]Sea’s losses widen amid revenue growth; president will step down end-2018.( 2018-02-28)
[10.12.2018]. https://www.techinasia.com/sea-q42017-results
[111]Who leads e-commerce in Malaysia? Lazada or Shopee? [10.12.2018]. https://e27.co/
[112]Shopee found to be the most popular e-commerce site for Indonesian mothers. (2018-04-
06) .[10.12.2018].Marketing Interactive..
[113]Shopee teams up with Facebook to help leading retail brands strengthen their eCommerce
presence. (2017-09-07).[10.12.2018].https://technology.mb.com.ph/2017/09/07/shopee-teams-
up-with-facebook-to-help-leading-retail-brands-strengthen-their-ecommerce-presence/
[114]Shopee opens online mall for consumers(2017-07-18).[10.12.2018]. https://sbr.com.sg/retail
/more-news/shopee-opens-online-mall-consumers.
[115]Shopee launches China Marketplace portal with free shipping to rival Lazada. Business
Insider Singapore.(2018-03-01).https://www.businessinsider.sg/shopee-launches-china-
marketplace-portal-with-free-shipping-to-rival-lazada/
[116]Garena Rebrands as Sea After Raising $550 Million in New Funding.(2017-05-
08).[10.12.2018].https://www.bloomberg.com/news/articles/2017-05-08/garena-rebrands-as-
sea-after-raising-550-million-in-new-funding
[117]Southeast Asia games firm Sea, formerly Garena, files for $1 billion US IPO. (2017-09-24).
[10.12.2018] https://techcrunch.com/2017/09/23/sea-files-for-a-1-billion-u-s-ipo/.
[118]The Winners Of The 2015 Vulcan Awards: GrabTaxi, Airbnb, WhatsApp & More!. (2015-
12-14). [10.12.2018].https://vulcanpost.com/483971/vulcan-awards-2015-winners/
[119]Bukalapak.com Traffic Statistics. Alexa Internet.[10.12.2018].Amazon.com.
[120]Bukalapak officially becomes indonesias fourth unicorn startup
[10.12.2018].https://www.thejakartapost.com/life/2018/01/11/bukalapak-officially-becomes-
indonesias-fourth-unicorn-startup.html.
[121]achmad zaky built bridge bukalapak.[10.12.2018].https://www.prestigeonline.com
/id/people-events/achmad-zaky-built-bridge-bukalapak/.
[122] .Ahmad Zaki[10.12.2018].https://endeavorindonesia.org/achmad-zaky/.
[123]Bukalapak trains small entrepreneurs one city at a time.[10.12.2018].
https://www.thejakartapost.com/news/2018/08/15/bukalapak-trains-small-entrepreneurs-one-
city-at-a-time.html.
[124] .Batavia incubator[10.12.2018].https://www.techinasia.com/batavia-incubator.
[125] .Gree ventures Bukalapak[10.12.2018].https://dailysocial.id/post/gree-ventures-bukalapak.
[126]EMTEK Suntikkan Dana Total 432,69 Miliar Rupiah ke Bukalapak.com.( 2016-05-
04).[10.12.2018].https://www.labana.id/view/emtek-suntikkan-dana-total-43269-miliar-rupiah-
ke-bukalapak-com/2016/05/04/
[127]Indonesian e-commerce unicorn Bukalapak raises
$50M. .[10.12.2018].https://techcrunch.com/2019/01/18/bukalapak-raises-50m/
[128]Bukalapak officially becomes Indonesias fourth unicorn startup.
[10.12.2018].https://www.thejakartapost.com/life/2018/01/11/bukalapak-officially-becomes-
indonesias-fourth-unicorn-startup.html.
[129]Qoo10. .[10.12.2018].crunchbase.com.
[130]EBay Is Close to $700 Million Deal for Qoo10's Japan Assets. bloomberg.com. Bloomberg.
[131]Can Qoo10 maintain its dominance in Singapore's e-commerce market?.
[10.12.2018].https://sbr.com.sg/retail/in-focus/can-qoo10-maintain-its-dominance-in-
singapores-e-commerce-market
[132]Company Overview of Giosis Pte.Lt. [10.12.2018].
https://www.bloomberg.com/research/stocks/private/snapshot.asp?privcapId=113796866
[133]So-eui, Rhee (2009-04-16). .[10.12.2018].EBay to buy S.Korea's Gmarket for up to $1.2

billion. https://www.reuters.com/article/us-gmarket-ebay/ebay-to-buy-s-koreas-gmarket-for-
up-to-1-2-billion-idUSTRE53F0PI20090416
[134]Shankland, Stephen.eBay buying out Gmarket, as Yahoo exits. (2009-04-16).[10.12.2018].
https://www.cnet.com/news/ebay-buying-out-gmarket-as-yahoo-exits/
[135]Kim, Hyun-cheol."eBay to Take Over Gmarket for $1.2 Billion".(2009-04-16)
[10.12.2018].http://www.koreatimes.co.kr/www/news/biz/2009/04/123_43301.html..[136]Bass,
Dina (2010-05-07). EBay, Gmarket's Ku in Japan, Singapore Joint Venture.
[10.12.2018].https://www.bloomberg.com/news/articles/2010-05-06/ebay-gmarket-founder-
young-bae-ku-create-japan-singapore-joint-venture.
[137]Rao, Leena.eBay Partners With Gmarket Founder For $20 Million Expansion Into Japan
And Singapore. (2010-05-06).[10.12.2018].https://techcrunch.com/2010/05/06/ebay-partners-
with-gmarket-founder-for-20-million-expansion-into-japan-and-singapore/
[138]eBay and Gmarket Founder Plan Asia Expansion Through Joint Venture.
[10.12.2018].www.ebayinc.com. .
[139]Wee, Willis.Gmarket Singapore, Japan, Malaysia, and Indonesia to Rebrand to Qoo10.
(2012-04-17) [10.12.2018].https://www.techinasia.com/gmarket-rebranded-to-qoo10
[140]Karekar, Rupali. SPH leads group investing $112m in Qoo10. (July 23, 2015).
https://www.straitstimes.com/business/companies-markets/sph-leads-group-investing-112m-
in-qoo10.
[141]Freischlad, Nadine. Ecommerce site Qoo10 locks up $82M in series A funding.(2015-07-22).
https://www.techinasia.com/qoo10-series-a-funding.
[142]Shu, Catherine. Ebay-Backed, Asian E-Commerce Company Giosis Lands $82.1M Series
A.(2015-07-23). [2018-12-10].https://techcrunch.com/2015/07/23/giosis-seriesa/
[143]Dastin, Jeffrey. EBay to buy Qoo10 Japan. other assets from Giosis. (2018-02-28). [2018-
12-10].https://www.reuters.com/article/us-giosis-japan-ebay/ebay-to-buy-qoo10-japan-other-
assets-from-giosis-idUSKCN1GB36C.
[144]Smith, Jake. eBay acquires Qoo10 Japan e-commerce platform. (2018-02-28).
https://www.zdnet.com/article/ebay-acquires-giosis-japan-business/
[145]eBay completes Qoo10 acquisition. (2018-07-23). [2018-12-10]. https://insideretail.asia/.
[146]Information Assurance Tools Report – Vulnerability Assessment. Sixth Edition, Revision by
Karen Mercedes Goertzel, with contributions from Theodore Winograd. 2011.
[147]Rami M. F. Jnena, Modern Approach for WEB Applications Vulnerability Analysis, The
Islamic University of Gaza.2013
[148]Samir Kumar Paudel, Vulnerable Web Applications And How To Audit Them, Oulu
University of Applied Sciences.2016.
[149]Martin Kiigemaa, Automated Security Testing Solution For Web Applications In Skype,
Tallinn University Of TECHNOLOGY Faculty of Information Technology Department of
Computer Science, 2014
[150]Fangqi Sun.Program Analyses of Web Applications for Detecting Application-Specific
Vulnerabilities.2013
[151]Yuliana Martirosyan, Security Evaluation of Web Application Vulnerability Scanners’
Strengths and Limitations Using Custom Web Application, Computer Science California State
University, 2012
[152]Ismaila Idris, Mohammad Umar Majigi, Shafii Abdulhamid, Morufu Olalere, Saidu Isah
Rambo, Vulnerability Assessment of Some Key Nigeria Government Websites, International
Journal of Digital Information and Wireless Communications (IJDIWC) 7(3): 143-152, 2017
[153]Rouse, M. 2011. pen test (penetration testing). [2018-12-10]. http://searchsoftwarequality.
techtarget.com/definition/penetration-testing
[154]Core Security. 2015. Penetration Testing Overview. [2018-12-10].
https://www.coresecurity.com/penetration-testing-overview
[155]Wai, C.T. 2002. Conducting a Penetration Test on an Organization. SANS Institute InfoSec
Reading Room, 3 – 9.[2018-12-10].https://www.sans.org/readingroom/whitepapers
/auditing/conducting-penetration-test-organization-67
[156]OWASP. 2016. About The Open Web Application Security Project. [2018-12-
10].https://www.owasp.org/index.php/About_OWASP
[157]zaproxy/zap-core-help. 2015. OWASP ZAP User Guide. [2018-12-10]. https://github.com/
zaproxy/zap-core-help/wiki/HelpIntro
[158]psiinon. 2012. OWASP Zed Attack Proxy - official tutorial: Overview. [2018-12-10].
https://www.youtube.com/watch?v=eH0RBI0nmww&list=PLEBitBWHlsv8cEIUntAO8st2UG
hmrjUB
[159]Wikipedia. 2016. WebSocket. [2018-12-10]. https://en.wikipedia.org/wiki/WebSocket
[160]zaproxy / zap-core-help. 2015. WebSocket. [2018-12-10].https://github.com/zaproxy/zap-
corehelp/wiki/HelpAddonsWebsocketIntroduction
[161]Hackingheart. 2012. Forced Browsing Attack. [2018-12-10].https://hackingheart.
wordpress.com/2012/07/03/forced-browsing-attack/
[162]OWASP. 2009. Forced browsing. [2018-12-10]. https://www.owasp.org/index.php/
Forced_browsing
[163]zaproxy / zap-core-help. 2015. Forced Browse. [2018-12-10].
https://github.com/ zaproxy/ zap-corehelp/wiki/HelpAddonsBruteforceConcepts
[164]OWASP. 2015. Category:OWASP DirBuster Project. [2018-12-10].https://www.owasp.org/
index.php/Category:OWASP_DirBuster_Project
[165]zaproxy / zap-core-help. 2015. Fuzzing. [2018-12-10]. https://github.com/zaproxy/zap-core-
help/wiki/HelpAddonsFuzzConcepts
[166]psiinon. 2013. FOSDEM 2013: Practical Security for developers using OWASP ZAP.
[2018-12-10].https://www.youtube.com/watch?v=QG2RCZHMEkM&list=PLEBitBWHlsv
8cEIUntAO8st2UGhmrjUB&index=5
[167]zaproxy / zaproxy. 2015. The ZAP API. [2018-12-10].https://github.com/
zaproxy/zaproxy/wiki/ApiDetails
[168]zaproxy / zap-core-help. 2015. Anti CSRF Tokens.[2018-12-10].https://github.com/
zaproxy/zap-core-help/wiki/HelpStartConceptsAnticsrf
[169]Rami M. F. Jnena, 2013. Modern Approach for WEB Applications Vulnerability Analysis,
The Islamic University of Gaza Deanery of Graduate Studies Faculty of Engineering
Computer Engineering Department .

Vulnerability Analysis of Indonesian Ecommerce Website

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vulnerability Analysis of Indonesian Ecommerce Website

Uploaded by

Copyright:

Available Formats

学校代码： 研究生学号： 1201590108

姓 名： Dona Pramana Pura

Master Candidate： Dona Pramana Pura

China University of Geosciences

ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE》，是本人在导师的

Dona Pramana Pura

ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE》，是在本人的指导

ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE》，是在本人的指导

Keyword: ecommerce, web vulnerability, OWASP

本文基于 Open Web Application Security Project（OWASP）标准，对印

度尼西亚十大电子商务网站的潜在漏洞进行了测试。Open Web Application

潜在的脆弱性，但都没有高风险。跨域 javascript 源文件包含是十个网站中最常

见的安全问题。虽然 URL 重写中的会话 ID、安全页包含混合内容，但 X-

TABLE OF CONTENS .............................................................................................. I

Figure 1.1 Internet users per 100 inhabitants ............................................................. 1

Figure 1.1 Internet users per 100 inhabitants

Figure 1.2 Internet user growth based on country in 2017

Figure 1.3 Number of attacks per sector

Figure 1.4 Website target based on country

service providers. In order to be sustainable, web applications should protect the

Figure 1.5 The wave of hacks on 27th of February 2018

One of an important factor in a web application is compliance. Compliance

1.2 Problem Statement

Conduct action planning

Figure 1.6 Action research methodology diagram

Discover or identify the

Take control of the

Figure 1.7 Penetration testing diagram

2.1 Web Vulnerability

accesses, sensitive data disclosures or privacy violations, malicious code insertions,

Most vulnerability assessment tools implement at least some

Figure 2.1 Flowchart of SQL injection

Figure 2.2 Cross Site Scripting (XSS) process

as software- and hardware-based cryptographic tokens [26] or biometrics [27]. But

Figure 2.3 CSRF Scheme

2.1.4 Web Application Vulnerability Scanners

Acunetix Web Vulnerability Scanner [40] is another black-box tool which

NT OBJECTives’ NTOSpider [53] is a web application security scanner that

Indonesia’s ecommerce sales as a percentage of total annual retail sales amounted to

Figure 2.4 Homepage of Lazada.com.

various categories, from electro-mechanical products, home decor, health products to

Figure 2.5 Homepage of mataharimall.com.

Figure 2.6 Homepage of Blibli.com

Figure 2.7 Homepage of Zalora.com.

Figure 2.8 Homepage of JD.id

Figure 2.9 Homepage of tokopedia.com

Until March 2016, Elevenia has recorded an average of 20,000 transactions

Figure 2.10 Homepage of elevania.com

Figure 2.11 Homepage of shopee.com

transaction error. Therefore, the email is expected to be filled correctly, because it

Figure 2.12 Homepage of bukalapak.com

Figure 2.13 Homepage of qoo10.com

2.3 Related Work

very difficult to find research related to the security vulnurability on ecommerce

3.1 Penetration Testing

remain the same. An application, which is considered to be secure at a particular point

e. If end user policies are modified

Discover or identify the

Take control of the

Figure 3.1 Flowchart of penetration testing

d. Start exploitation of vulnerabilities using different techniques, for example

3.2 OWASP ZAP

Figure 3.2. OWASP ZAP layout.

3.2.2 ZAP Features

学校代码：研究生学号： 1201590108

姓名： Dona Pramana Pura