2023 International
2023 International
ConferenceConference
on Information
on Information
TechnologyTechnology
and Computing
Security Analysis on Websites belonging to the
Health Service Districts in Indonesia based on the
Open Web Application Security Project (OWASP)
Top 10 2021
Ayu Choiriyah
Cybersecurity Department
National Cyber and Crypto Agency
Jakarta, Indonesia
2023 International Conference on Information Technology and Computing (ICITCOM) | 979-8-3503-5963-3/23/$31.00 ©2023 IEEE | DOI: 10.1109/ICITCOM60176.2023.10442816
ayuchoiriyah25@gmail.com
Abstract—In August 2022, the Directorate of Cyber Security
Operations, National Cyber and Crypto Agency received the
most complaints about cybercrime. Of these complaints, there
were more than 100 hacking cases, which were dominated by
the local government sector. In the same year, there was a leak
of medical sample data belonging to the Central Government
of the Republic of Indonesia’s Ministry of Health. So, this
research aims to analyze the security of a website belonging to
the health service of one of the districts in Indonesia. There
were eleven vulnerabilities discovered and successfully
classified using the OWASP Top 10 2021. Of the eleven
vulnerabilities discovered, nine vulnerabilities were
successfully exploited by following the WSTG 4.2 guidelines.
By using the OWASP Risk Assessment Calculator, four
vulnerabilities have a medium severity level and five others
have a low severity level. Based on these findings,
recommendations for improving each vulnerability are given.
Keywords—security analysis, penetration testing, OWASP
Top 10 2021, OWASP WSTG v4.2, vulnerability assessment,
website
I. INTRODUCTION
In 2021, there were 5,940 cases of attacks on websites
in the form of web defacement, and in one year the most
cases occurred in March, reaching 727 cases [1]. When
receiving reports of web defacement cases in Indonesia, the
Cyber Security Operations Directorate conducted a security
gap analysis to find out what the defacer might have done.
The analysis was carried out by grouping based on sector
distribution consisting of academic, private, local
government, central government, legal, personal, school,
organization, military, and health. Then, the time of
occurrence is throughout 2021, and the web page affected is
generally the homepage [1]. From this analysis, the results
showed that the regional government was ranked third with
1,097 web defacement cases [1]. According to data released
by the Indonesia Security Incident Response Team on
Internet Infrastructure (ID SIRTII) in 2017, government
websites with the domain go.id were the most frequently
attacked by hackers. Incidents of attacks on government
websites reached 3,783 times or 24.43% [2]. In early 2022,
the alleged leak of data belonging to Indonesian health
patients occurred again. This data allegedly belongs to the
Ministry of Health of Indonesia and according to the Chair
of the CISSReC Cyber Security and Communication
Research Institute, if we look at the data sample provided of
Authorized licensed use limited to: Edinburgh Napier University. Downloaded on March 25,2024 at 10:43:49 UTC from IEEE Xplore. Restrictions apply.
979-8-3503-5963-3/23/$31.00 ©2023 IEEE
and Computing
(ICITCOM),(ICITCOM)
1-2 December 2023
Nurul Qomariasih
Cryptography Engineering
National Cyber and Crypto Polytechnic
Bogor, Indonesia
nurul.qomariasih@poltekssn.ac.id
3.26 GB with the file name "sample medic", then this leak
is valid and happened. Meanwhile, the hacker admitted that
the data came from the central server of the Indonesian
Ministry of Health and it was also reported that the data
was last taken on December 28, 2021 [3]. In August 2022,
the Directorate of Cyber Security Operations received the
most complaints about cybercrime, namely 5 complaints,
with details about 2 complaints about ransomware,
followed by 2 complaints about phishing and 1 complaint
about web defacement [4]. There were 148 hacking cases,
dominated by the local government sector. It is also known
that the highest hacking activity occurred on 5 and 9
August 2022, reaching 18 cases [4].
The Ministry of Health has branches in each region
called regional health offices. Each regional health service
has a website that contains information related to public
health, and several websites belonging to regional health
services are also still in the development stage because they
have only just been integrated with the go.id domain. Apart
from that, the website that will be used as research belongs
to an area with a zone-h domain, namely a website that was
hit by a web defacement attack in 2012. Based on several
existing facts, it is necessary to detect vulnerabilities and
understand what risks the website may face in the future.
This can be done with a security analysis to improve web
security and be an anticipatory step to identify early
potential risks before they occur. Security analysis includes
two main stages, namely the Vulnerability Assessment
(VA) stage and the Penetration Testing (PT) stage which is
carried out to design, improve, and manage the security of a
website [5]. Vulnerability assessment will be carried out by
scanning web vulnerabilities and then classifying them
based on the Open Web Application Security Project
(OWASP) Top 10 2021. Next, penetration testing will be
carried out to prove the results of the vulnerabilities found.
The results of this research are a list of vulnerabilities and
recommendations for improvement on the website of the
regional health service (XYZ.go.id). So, this research can
be a guideline for improving and making the regional health
department's website better.
II. LITERATURE REVIEW
A. Security Analysis
Security analysis on websites includes two main stages,
Vulnerability Assessment (VA) and Penetration Testing
267
 2023 International
2023 International
ConferenceConference
on Information
on Information
TechnologyTechnology
and Computing
and Computing
(ICITCOM),(ICITCOM)
1-2 December 2023

(PT) which are carried out to design, manage, and improve use of insecure default configurations or credentials, open
the security of a website [5]. Some tools that are usually clouds, improper configuration of HTTP headers, and error
used to carry out vulnerability assessments are Nmap and messages containing sensitive information.
OWASP ZAP [6]. Vulnerability assessment and penetration 6) A06:2021-Vulnerable and Outdated Components:
testing are done by referring to Patel [7]. This vulnerability can be exploited by attackers to retrieve
Some of the tools used in VA and PT are: sensitive data and even take over the server.
1) Whois: used to find out the domain ID, domain 7) A07:2021-Identification and Authentication
validity period, domain status, and number of servers [6] Failures: This vulnerability occurs when existing
2) Netcraft: Netcraft is used to view hosting history authentication and session management functionality is
records, network information, and web rackers related to implemented incorrectly.
this site and its technology [8] 8) A08:2021-Software and Data Integrity Failures:
3) Geo Data tool: used to determine the geographical This vulnerability is related to failure to ensure that the
location of a host software and data used in a system or application remain
4) Nmap: Nmap is used to find out which port services accurate, complete, reliable, and protected from threats or
are open damage.
5) OWASP ZAP: in the vulnerability scanning process, 9) A09:2021-Security Logging and Monitoring
the OWASP ZAP v 2.12.0 tool is used to help find Failures: If integration is not effective with incident
vulnerabilities automatically in web applications [6],[9] response, it can increase the risk of attacks that can occur
6) Nikto: Nikto is used to help scan for vulnerabilities because it will give attackers enough time to damage,
on the web server extract, or destroy data, and do things that have an impact
7) Burpsuite: is used for security testing of web on other serious.
applications by providing an overview of functionality and 10) A10:2021-Server-Side Request Forgery: This
content from related websites [9], [10] vulnerability occurs when a web application retrieves a
8) Sqlmap: is a tool that functions to identify and exploit remote resource without first validating the URL provided
SQL injection vulnerabilities in web applications by the user. This allows attackers to force applications to
9) Clickjacker.io: is a tool that allows users to test target send crafted requests to unexpected destinations, even when
websites to see if they are vulnerable to attacks clickjacking protected by a firewall, VPN, or other type of Access
[9] Control List (ACL).
10) Observatory Mozilla: This service does a series of
tests to evaluate several security aspects of a website,
C. Penetration Testing
including SSL/TLS configuration, HTTP security headers,
encryption content, and other security settings [11] Penetration testing can be interpreted as the process of
11) SSL Laboratory: this tool is used to check impersonating an attacker to look for security vulnerabilities
SSL/TLS certificates, protocols supported by servers, in a system or network [7]. Table I explains the comparative
encryption configurations, and several other security results of each penetration testing test method.
features on websites.
TABLE I. COMPARATIVE ANALYSIS OF PENETRATION TEST
B. Open Web Application Security Project (OWASP) METHODOLOGIES [13]
Top 10 2021
The OWASP Open Web Application Security Project
Integra-
Top 10 2021 is a standard that contains a list of Focus Ea tion of
vulnerabilities with a focus on identifying the most Last sy the
Metho- To
dangerous and most common web application security risks dology
revis
ols
to contect
in organizations [12]. The vulnerabilities according to the ed us of IS/IT
Mana e mana-
OWASP Top 10 2021 are explained as follows [12]: geme
High
Techn
level gement
1) A01:2021-Broken Access Control nt ical
This attack can be exploited by attackers to gain OSSTM
unauthorized access, including accessing and changing user 2010 No Yes No No No No
M
accounts, sensitive data, user data, and other things. ISSAF 2006
Parti-
Yes Yes Yes No Partially
ally
2) A02:2021-Cryptographic Failures: This
vulnerability occurs when web applications and APIs fail to PTES 2014 No Yes Yes Yes Yes No
protect sensitive data such as personal data, financial OWASP 2014 No Yes Yes Yes Yes No
information, health service data, and other crucial data. NIST SP
2008 No Yes No No Yes No
3) A03:2021-Injection: Injection attacks can occur on 800-115
databases, operating systems, or servers via protocols such
as LDAP. Based on these comparison results, PTES and OWASP
4) A04:2021-Insecure Design: One of the factors that are easy to use and the newest methods. For this reason,
can cause this attack to occur is the lack of a business risk penetration testing was carried out in this research using the
profile for the system being developed, which then becomes OWASP method. However, OWASP has released a newer
a failure to determine the level of security design required. method as a guide for penetration testing, namely OWASP
5) A05:2021-Security Misconfiguration: These WSTG v 4.2. so, the penetration testing stage is carried out
vulnerabilities are the most common, usually caused by the using the OWASP WSTG v 4.2 method [6], [9], [10].

Authorized licensed use limited to: Edinburgh Napier University. Downloaded on March 25,2024 at 10:43:49 UTC from IEEE Xplore. Restrictions apply.
268
 2023 International
2023 International
ConferenceConference
on Information
on Information
TechnologyTechnology
and Computing
and Computing
(ICITCOM),(ICITCOM)
1-2 December 2023

The stages in carrying out penetration testing on web

applications according to OWASP WSTG v 4.2 consist of
12 stages: [14]
1) Information gathering
2) Configuration and deployment management testing
3) Identity management testing
4) Authentication testing
5) Authorization testing
6) Session management testing Fig. 1. Website Architecture Reprocessed from [16]
7) Input validation testing
8) Testing for error handling Vulnerabilities can be exploited to steal data and also
9) Testing for weak cryptography spread malicious content [17].
10) Business logic testing
11) Client-side testing
PLANNING
12) API testing Determined that the website of one of the regional
health services in Indonesia (XYZ Regional Health
Department) would undergo a security analysis to
D. OWASP Risk Rating Methodology prevent hacking
OWASP Risk Rating Methodology is a methodology for VULNERABILITY
calculating the estimated level or extent of the risks found so ASSESSMENT
Information Gathering
that they can then be used as material for decision-making Using several tools: Whois, Netcraft, Geo Data Tool,
and action by the organization. Nmap
The OWASP Risk Rating Calculator will produce two
values for each threat, namely Likelihood Score and Impact
Score with a scale divided into three parts as in Table II Scanning
[15]. Vulnerability scanning of the XYZ regional health
service website using OWASP ZAP tools version
2.12.0 and Nikto v2.5.0 for automatic scanning
TABLE II. RISK LEVEL LIKELIHOOD AND IMPACT methods [7] [19].

Likelihood Impact Level Risk Severity

Vulnerability Mapping
0 to <3 0 to <3 Low Vulnerability classification using OWASP Top 10
2021
3 to <6 3 to <6 Medium

6 to 9 6 to 9 High
PENETRATION TESTING
validating correctness against previously discovered
To estimate the overall impact of existing risks and vulnerabilities [20] using OWASP WSTG v 4.2
guideline and risk assessment referring to the OWASP
threats, an assessment is used which can be seen in Table III Risk Rating Methodology
[15].
TABLE III. RISK LEVEL LIKELIHOOD AND IMPACT
REPORTING
Report document containing proof of vulnerability in
Likelihood the form of a confusion matrix and recommendations
for repairing vulnerabilities
Low Medium High

Low Note Low Medium

Impact Medium Low Medium
High Medium High
III. RESEARCH METHODOLOGY
The research model for carrying out this security analysis
follows research conducted by Patel [7] which was then
reprocessed according to the research conditions. Fig.2. is the
result of a modification of the security analysis stages
consisting of Patel's vulnerability assessment and penetration
testing [7] which is used in this research.
The designed system architecture is shown in Fig. 1. A
web vulnerability is a weakness or misconfiguration on a
website that allows an attacker to gain control of the target
system.
High Fig. 2. Research Design Reprocessed from Patel [7]
Critical
This website belonging to the XYZ regional health
service has several features, namely a profile containing the
history and organizational structure. News feature that
contains information and activities carried out. Then there is
a network feature that contains a list of Regional Unit
Hospitals/Hospitals and Community Health Center Regional
Technical Implementation Units. There is also a public
information feature that contains information regarding
health worker licensing, optical practice, physiotherapist
practice, and clinic permits. Apart from that, there is a
Covid-19 infographic feature which contains Covid-19 data,
and features that connect with the provincial Health Office
and the Ministry of Health of the Republic of Indonesia.
According to the zone-h site in 2012 there was web
defacement on the domain XYZ.go.id as shown in Fig. 3.

Authorized licensed use limited to: Edinburgh Napier University. Downloaded on March 25,2024 at 10:43:49 UTC from IEEE Xplore. Restrictions apply.
269
 2023 International
2023 International
ConferenceConference
on Information
on Information
TechnologyTechnology
and Computing
and Computing
(ICITCOM),(ICITCOM)
1-2 December 2023

Meanwhile, through the Nmap tool, information about

open ports is obtained, namely port 21 which is an FTP port,
port 53 which is a DNS port, port 80 which is an HTTP/web
server port, port 110 which is a POP3 port, port 143 which is
an IMAP port, and port 443 which is the HTTPS port.
Apart from that, the geo data tool provides host location
information as shown in Fig. 4.

Fig. 3. Attack Against XYZ.go.id Domain

IV. RESULT AND DISCUSSION

Based on information gathering activities on the regional
health service website XYZ.go.id using Whois based on URL Fig. 4. Host location
and IP address, and Netcraft; information was obtained from
A. Scanning and Mapping Vulnerabilities
the following parameters (Table IV):
Based on this scanning, eleven vulnerabilities were
TABLE IV. INFORMATION OBTAINED FROM WHOIS AND found from the OWASP ZAP tool and four vulnerabilities
NETCRAFT from the Nikto tool. From the classification results, there are
two vulnerabilities with code A01:2021 Broken Access
Whois Netcraft Control, two vulnerabilities with code A03:2021 Injection,
URL IP address six vulnerabilities with code A05:2021 Security
Domain ID IP Location Site Title Misconfiguration, and one vulnerability with code
Autonomous
A08:2021 Software and Data Integrity Failures. Table VI is
Domain Name Date First Seen the result of vulnerability classification based on the
System Number
Created On Resolve Host Netcraft Risk Rating OWASP Top 10 2021 (Table V).
Last Updated On Whois Server Site TABLE V. VULNERABILITY FINDING WITH OWASP ZAP AND
Expiration Date IP Address Domain NIKTO TOOLS

Status inetnum Server Name

Category Tools
Sponsoring Registrar No.
netname Network Owner
Organization OWASP Top 10 2021 OWASP ZAP Nikto
Sponsoring Registrar Absence of Anti-
descr Hosting Company -
Street A01:2021-Broken CSRF Tokens
1.
Sponsoring Registrar Access Control Cookie without
country IPv4 Address -
City SameSite Attribute
Sponsoring Registrar admin-c dan A02:2021-
Reverse DNS
Province tech-c. 2. Cryptographic - -
Sponsoring Registrar Failures
abuse-c SSL/TLS
Postal Code SQL Injection -
Sponsoring Registrar SQLite -
status SPF Record
Country 3. A03:2021-Injection SQL Injection-
Sponsoring Registrar Hypersonic SQL - -
mnt-by DMARC Record
Phone Time Based
Sponsoring Registrar A04:2021-Insecure
mnt-irt Server-Side 4. - -
Email Design
Server Name last-modified Client-Side Content Security
Policy (CSP) -
DNSSEC source Client-Side Scripting Header Not Set
Missing Anti- The anti-
Frameworks
clickjacking Header clickjacking X-
Blog Frame-Options
header is not
PHP Application A05:2021-Security
5. present
Misconfiguration
RSS Feed Secure Pages
Include Mixed -
Character Encoding Content
Strict-Transport- The Strict-
HTTP Compression
Security Header Not Transport-
Set Security header
Not Set is not

Authorized licensed use limited to: Edinburgh Napier University. Downloaded on March 25,2024 at 10:43:49 UTC from IEEE Xplore. Restrictions apply.
270
 2023 International
2023 International
ConferenceConference
on Information
on Information
TechnologyTechnology
and Computing
and Computing
(ICITCOM),(ICITCOM)
1-2 December 2023

Category
Category Tools Validation Severity
No. No. OWASP Vulnerability
OWASP Top 10 2021 OWASP ZAP Nikto status Level
Top
defined
10:2021
X-Content-Type- The X-Content- X-Content-Type- True-positive Low
Options Header Type-Options 9. A05:2021 Options
Missing header is not Header Missing
set
Server Leaks Server banner Cross-Domain True-positive Low
A08:2021
Version Information changed from 10. JavaScript
via "Server" HTTP "LiteSpeed" to
Source File Inclusion
Response Header "imunify360-
Field webshield/1.18" Server Leaks True-positive Low
A06:2021-Vulnerable Version
A05:2021 Information via
6. and Outdated - -
Components "Server"HTTP
A07:2021- 11. Response
Identification and Header
7. - -
Authentication Field
Failures
A08:2021-Software Cross-Domain
8. and Data Integrity JavaScript Source - Based on a risk assessment using the OWASP Risk
Failures File Inclusion Assessment Calculator on nine vulnerabilities that were
A09:2021-Security proven to be exploitable at the penetration testing stage, it
9. Logging and - -
Monitoring Failures
was found that four vulnerabilities had a medium severity
A10:2021-Server- level, and five vulnerabilities had a low severity level. This
10. - -
Side Request Forgery vulnerability level assessment aims to determine repair
priorities on the website belonging to the regional health
B. Penetration Testing service (XYZ.go.id) so that it can be repaired immediately.
The results obtained from the average likelihood factors C. Reporting
and impact factors are then matched as in Table VI Overall This stage contains recommendations for improvements
Risk Severity Level to obtain the final result in the form of based on the OWASP ZAP scanning report and the IT
the severity level of each vulnerability. Security Assessment Vulnerability Dictionary [18].
The following recommendations are listed in Table VII:
TABLE VI. VULNERABILITY FINDINGS VALIDATION RESULTS
TABLE VII. IMPROVEMENT RECOMMENDATIONS
Category
No. OWASP Vulnerability Validation Severity
status Level No. Vulnerability Recommendations
Top Implement Anti-CSRF Tokens by ensuring
10:2021 their use for every action that changes data or
has an impact on applications. Each user must
A03:2021 SQL Injection - SQLite False- - also have a unique, dynamically generated
1.
positive CSRF token for each session.
Store CSRF [1] tokens in the session server to
A03:2021 SQL Injection - False- -
prevent Cross-Site Scripting (XSS) attacks
2. Hypersonic positive that can retrieve CSRF tokens from cookies.
SQL - Time Based Absence of Validate CSRF tokens on requests where
1. Anti-CSRF every time a user sends a request that can
A01:2021 Absence of Anti-CSRF True-positive Medium Tokens change data, the server must verify the CSRF
3. Tokens token sent by the user with the CSRF token on
the server session.
A05:2021 Content Security Policy True-positive Medium Set the SameSite attribute on application
4. cookies to "Strict" or "Lax" to help protect
(CSP) Header Not Set
against CSRF attacks by limiting cookie
access to only requests originating from the
A05:2021 Missing Anti-clicjacking True-positive Medium same site. For example, by using the PHP
5. Header programming language
Set a CSP Header on the web server stating a
Content
Cookie without True-positive Medium clear security policy about what resources are
A01:2021 Security
and are not allowed to be loaded on the page.
6. SameSite 2. Policy (CSP)
Use CSP Report-Only Mode to report
Attribute Header Not
potential policy violations without
Set
Secure Pages Include True-positive Low implementing countermeasures.
A05:2021 Implement HTTP Content-Security-Policy and
7. Mixed Missing Anti-
X-Frame-Options headers.
3. clicjacking
Content Set the X-Frame-Options header with the
Header
value "SAMEORIGIN" or "DENY".
Strict-Transport- True-positive Low
A05:2021
8. Security
Header Not Set

Authorized licensed use limited to: Edinburgh Napier University. Downloaded on March 25,2024 at 10:43:49 UTC from IEEE Xplore. Restrictions apply.
271
 2023 International
2023 International
ConferenceConference
on Information
on Information
TechnologyTechnology
and Computing
and Computing
(ICITCOM),(ICITCOM)
1-2 December 2023

No. Vulnerability Recommendations REFERENCES

Set the SameSite attribute on the cookie
according to the website's requirements. The
SameSite attribute can be set as "Strict" (the
cookie will only be sent if the request comes
from the same website) or "Lax" (the cookie
will be sent if the request comes from a link
Cookie
within the same website or if the request is
without
4. "top-level" by user).
SameSite
Ensure input received from users or external
Attribute
sources is properly validated to prevent XSS
attacks.
Implement CSP to control the resources
allowed on web pages and help protect against
XSS attacks and the use of cookies from
unauthorized sites.
Ensure that pages should not contain any
content transmitted over unencrypted HTTP.
Secure Pages Pages must not contain any content sent via
Include unencrypted HTTP including from third-party
5.
Mixed sites.
Content Implement appropriate Content-Security-
Policy (CSP) Headers to control the resources
allowed on the page.
Strict- Configure the webserver to send HSTS
Transport- headers in HTTP responses and include a
6. Security security policy that instructs the browser to
Header Not always use HTTPS for a specified period.
Set Thoroughly test HSTS header settings.
Set the "X-Content-Type-Options" header in
the HTTP response with the value "nosniff"
X-Content- for all web pages.
Type-Options Use automation tools to regularly check and
7.
Header verify X-Content-Type-Options header
Missing settings. This tool can help identify
configuration errors or deficiencies in header
settings across websites.
Cross- Make sure to only load JavaScript scripts from
Domain truly trusted and verified sources.
8. JavaScript Use appropriate Content-Security-Policy
Source File (CSP) Headers to control the origins of
Inclusion permitted resources within the website.
Ensure that the web server is configured in a
Server Leaks way that does not reveal information about the
Version software version or technology used through
Information the "Server" header or other HTTP response
9. via "Server" headers.
HTTP Use Web Application Firewall (WAF)
Response Security to identify and block exploit attempts
Header Field aimed at exploiting vulnerabilities in specific
software versions.
V. CONCLUSION
The conclusion of this research is:
1) This research was able to find eleven vulnerabilities
on websites belonging to the regional health service in one of
the districts in Indonesia. Of the eleven vulnerabilities, nine
were successfully exploited. Four vulnerabilities are listed as
medium severity and five as low. This research also provide
recommendations to fix vulnerabilities that have proven to be
true positives.
2) For further research, researchers can carry out
security analysis using other methods or on website stagging
and use other vulnerability scanning tools to increase the
number of vulnerabilities found for analysis.
[1] Direktorat Operasi Keamanan Siber, Laporan Tahunan
Monitoring Keamanan Siber 2021. Jakarta Selatan, 2021.
[2] Tim Litbang MPI, “3 Website Indonesia yang Jadi Incaran
Hacker, Nomor 1 Milik Negara.” Accessed: Oct. 17, 2022.
[Online]. Available:
https://nasional.okezone.com/read/2022/07/31/337/2639610/3-
website- indonesia-yang-jadi-incaran-hacker-nomor-1-milik-
negara
[3] I. Dewi, “Dugaan Kebocoran Data Pasien Milik Kemenkes, Ini
Kata Pakar Keamanan Siber.” Accessed: Oct. 17, 2022. [Online].
Available:
https://techno.okezone.com/read/2022/01/07/54/2528693/dugaan-
kebocoran-data-pasien-milik-kemenkes-ini-kata-pakar-
keamanan-siber
[4] Direktorat Operasi Keamanan Siber, “Laporan Bulanan Publik
Hasil Monitoring Keamanan Siber,” www.idsirtii.or.id.
[5] R. A. G. G. dan A. H. S. R. B. P. Zen, “Analisis Security
Assessment Menggunakan Metode Penetration Testing dalam
Menjaga Kapabilitas Keamanan Teknologi Informasi Pertahanan
Negara,” Jurnal Teknologi Penginderaan, vol. 2, no. 1, 2020.
[6] M. S. S. Wardaya, “Skripsi Penetration Testing Terhadap
Website Asosiasi Pekerja Professional Informasi Sekolah
Indonesia (APISI),” 2019.
[7] K. Patel, “A Survey on Vulnerability Assessment & Penetration
Testing for Secure Communication,” in Proceedings of the Third
International Conference on Trends in Electronics and
Informatics (ICOEI), 2019, pp. 23–25.
[8] R. S. Devi dan M. M. Kumar, “Testing for Security Weakness of
Web Applications using Ethical Hacking,” in Proceedings of the
4th International Conference on Trends in Electronics and
Informatics (ICOEI), 2020, pp. 15–17.
[9] D. S. Irawan, “Pengujian Keamanan Sistem Informasi Berbasis
Web Berdasarkan Dokumen OWASP WSTG v4.2 (Studi Kasus:
Sistem Informatics Expo Universitas Islam Indonesia),” 2022.
[10] H. B. S. dan W. W. A. I. Rafeli, “Pengujian Celah Keamanan
Menggunakan Metode OWASP Web Security Testing Guide
(WSTG) pada Website XYZ,” Jurnal Informatik, vol. 18, no. 2,
2022.
[11] P. Felt, “Measuring HTTPS Adoption on the Web,” in
Proceedings of the 26th USENIX Security Symposium, 2017, pp.
1323–1338.
[12] OWASP Foundation, The OWASP Top 10. 2022.
[13] T. Klíma, “PETA: Methodology of Information Systems Security
Penetration Testing,” Acta Informatica Pragensia, vol. 5, no. 2,
pp. 98–117, Dec. 2016, doi: 10.18267/j.aip.88.
[14] E. Saad dan R. Mitchell, Web Security Testing Guide. owasp.org,
2022.
[15] OWASP Foundation, “OWASP Risk Rating Methodology.”
Accessed: Dec. 10, 2022. [Online]. Available:
https://owasp.org/www-
community/OWASP_Risk_Rating_Methodology
[16] V. Appiah, M. Asante, I. K. Nti, and O. Nyarko-Boateng,
“Survey of Websites and Web Application Security Threats
Using Vulnerability Assessment,” Journal of Computer Science,
vol. 15, no. 10, pp. 1341–1354, Oct. 2019, doi:
10.3844/jcssp.2019.1341.1354.
[17] G. Krasniqi dan V. Bejtullahu, “Vulnerability Assessment &
Penetration Testing: Case study on web application security,”
UBT International Conference.
[18] Kelompok Fungsi Identifikasi dan Proteksi, “Kamus Kerentanan
IT Security Assessment,” 2021.
[19] L. Zachariah dan S. Roy, “A Comparison Study of Penetration
Testing Tools in Linux,” Int J Sci Eng Res, vol. 10, no. 4, 2019.
[20] S. Nagpure and S. Kurkure, “Vulnerability Assessment and
Penetration Testing of Web Application,” in 2017 International
Conference on Computing, Communication, Control and
Automation (ICCUBEA), IEEE, Aug. 2017, pp. 1–6. doi:
10.1109/ICCUBEA.2017.8463920.

Authorized licensed use limited to: Edinburgh Napier University. Downloaded on March 25,2024 at 10:43:49 UTC from IEEE Xplore. Restrictions apply.
272