PENETRATION TESTING OF A COMPUTERIZED PSYCHOLOGICAL ASSESSMENT WEBSITE USING SEVEN ATTACK VECTORS FOR CORPORATION WEBSITE SECURITY

Rizky Rachman J; Jonathan Suara Patty

doi:10.52436/1.jutif.2024.5.3.1731

Rizky Rachman J Department of Computer Science Education, Faculty of Mathematics and Natural Sciences Education, Universitas Pendidikan Indonesia, Indonesia
Jonathan Suara Patty Department of Computer Science Education, Faculty of Mathematics and Natural Sciences Education, Universitas Pendidikan Indonesia, Indonesia

DOI: https://doi.org/10.52436/1.jutif.2024.5.3.1731

Keywords: Attack Vectors, Cyber Threats, Penetration Testing, Simulated Attacks, Vulnerabilities

Abstract

Websites, being dynamic platforms, undergo regular updates and continuous usage. Consequently, methods employed in website attacks evolve in tandem with increased security measures implemented in website systems, aiming to exploit both the website itself and its users. Website systems and features must remain prepared for potential future attacks at all times. To ensure this, penetration testing needed to be done consistently to keep up with security standards. This research aims to prove the various vulnerabilities that can be found from penetration testing in order to create recommendations on what to improve within a website. This research involves black box penetration testing of a computerized psychological testing website, developed by PT Dwi Purwa Teknologi hereinafter referred to as the client. The penetration testing simulated attacks by a foreign entity unfamiliar with the website's structure. The assessment focused on seven attack vectors: SQL injection, RCE, URL manipulation, CSRF, SSRF, XSS, and Broken Authentication and Session. Vulnerabilities resulted from poorly sanitized input forms, leading to SQL injection and RCE risks. Inadequate input validation enabled cross-site scripting attacks, while missing CSRF tokens exposed the website to CSRF threats. The research underscores the importance of penetration testing to identify and address security weaknesses, empowering the client to fortify their website against potential cyber threats.

Downloads

Download data is not yet available.

References

T. Dhital and B. Gonen, "A Survey on Web Security Issues," in 2019 International Conference on Computational Science and Computational Intelligence (CSCI), 2019, pp. 231-234.

R. Baki, "Analysis of factors affecting customer trust in online hotel booking website usage," European Journal of Tourism, Hospitality and Recreation, vol. 10, no. 2, pp. 106-117, 2020.

N. Munaiah, A. Rahman, J. Pelletier, L. Williams, and A. Meneely, "Characterizing attacker behavior in a cybersecurity penetration testing competition," in 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), 2019, pp. 1-6.

M. Albalawi et al., "Website Defacement Detection and Monitoring Methods: A Review," Electronics, vol. 11, no. 21, pp. 3573, 2022.

R. Alabdan, "Phishing attacks survey: Types, vectors, and technical approaches," Future Internet, vol. 12, no. 10, p. 168, 2020, MDPI.

S. N. Bukhari, M. A. Dar, and U. Iqbal, "Reducing attack surface corresponding to Type 1 cross-site scripting attacks using secure development life cycle practices," in 2018 fourth international conference on advances in electrical, electronics, information, communication and bio-informatics (AEEICB), 2018, pp. 1-4.

C. Weissman, "Penetration testing," Information security: An integrated collection of essays, vol. 6, pp. 269-296, 1995.

S. Rani and R. Nagpal, "Penetration testing using Metasploit framework: An ethical approach," International Research Journal of Engineering and Technology (IRJET), vol. 6, no. 08, 2019.

P. Vats, M. Mandot, and A. Gosain, "A comprehensive literature review of penetration testing & its applications," in 2020 8th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions)(ICRITO), 2020, pp. 674-680.

S. Nagpure and S. Kurkure, "Vulnerability assessment and penetration testing of web application," in 2017 International Conference on Computing, Communication, Control and Automation (ICCUBEA), 2017.

F. Heiding, S. Katsikeas, and R. Lagerström, "Research communities in cyber security vulnerability assessments: A comprehensive literature review," Computer Science Review, vol. 48, p. 100551, 2023, Elsevier.

A. Goutam and V. Tiwari, "Vulnerability assessment and penetration testing to enhance the security of web application," in 2019 4th International Conference on Information Systems and Computer Networks (ISCON), 2019, pp. 601-605.

I. Yaqoob, S. Hussain, S. Mamoon, N. Naseer, J. Akram, and A. Ur Rehman, "Penetration Testing and Vulnerability Assessment," Journal of Network Communications and Emerging Technologies (JNCET), vol. 7, no. 8, Aug. 2017.

N. Brügger, "Website history and the website as an object of study," New Media & Society, vol. 11, no. 1-2, pp. 115-132, 2009.

I. Ataboyev and R. I. Tursunovich, "DEVELOP THE USE OF YOUTUBE VIDEOS AND WEBSITES IN THE CLASSROOM," Журнал иностранных языков и лингвистики, vol. 5, no. 5, 2023.

L. Dolega, F. Rowe, and E. Branagan, "Going digital? The impact of social media marketing on retail website traffic, orders and sales," Journal of Retailing and Consumer Services, vol. 60, pp. 102501, 2021.

C. Coronel and S. Morris, Database Systems: Design, Implementation and Management, Cengage Learning, 2019.

M. Alghawazi, D. Alghazzawi, and S. Alarifi, "Detection of sql injection attack using machine learning techniques: a systematic literature review," Journal of Cybersecurity and Privacy, vol. 2, no. 4, pp. 764-777, 2022.

S. JY Weamie, "Cross-Site Scripting Attacks and Defensive Techniques: A Comprehensive Survey," International Journal of Communications, Network and System Sciences, vol. 15, no. 8, pp. 126-148, 2022.

X. Likaj, S. Khodayari, and G. Pellegrino, "Where we stand (or fall): An analysis of CSRF defenses in web frameworks," in Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses, pp. 370-385, 2021.

S. Sandhya, S. Purkayastha, E. Joshua, and A. Deep, "Assessment of website security by penetration testing using Wireshark," in 2017 4th International Conference on Advanced Computing and Communication Systems (ICACCS), Coimbatore, India, pp. 1-4, 2017. doi: 10.1109/ICACCS.2017.8014711.

A. Goutam and V. Tiwari, "Vulnerability Assessment and Penetration Testing to Enhance the Security of Web Application," in 2019 4th International Conference on Information Systems and Computer Networks (ISCON), Mathura, India, pp. 601-605, 2019 doi: 10.1109/ISCON47742.2019.9036175.