WEBSITE VULNERABILITY TESTING USING THE PENETRATION TESTING METHOD REFERRING TO NIST SP 800 – 155 (CASE STUDY (Astonprinter.com Domain))

Ari Agustinus; Irwan Sembiring

doi:10.52436/1.jutif.2024.5.6.3859

Ari Agustinus Informatika, Fakultas Teknologi Informasi, Universitas Kristen Satya Wacana, Indonesia
Irwan Sembiring Informatika, Fakultas Teknologi Informasi, Universitas Kristen Satya Wacana, Indonesia

DOI: https://doi.org/10.52436/1.jutif.2024.5.6.3859

Keywords: CIA TRIAD, NIST SP 800-115, Penetration Testing, Server Security

Abstract

Information security is a very important aspect in maintaining the confidentiality, integrity and availability of data on a system, especially on websites that are vulnerable to various cyber threats. This research aims to test website vulnerabilities using the penetration testing method by referring to the NIST SP 800-115 standard. The case study used in this research is the astonprinter.com website. The penetration testing method applied in this research follows the NIST SP 800-115 guidelines which include the Planning, Discovery, Attacking and Reporting stages. The results of the research show that the astonprinter.com website has 20 vulnerabilities that can be exploited, with details of 2 vulnerabilities which are in the high threat level, namely DNS Server Spoofed Request Amplification Ddos and Path Traversal, then it has 7 vulnerabilities which are in the medium threat level, including DNS Server Chace Snooping Remote Information Disclosure and Vulnerable Js Library and 11 vulnerabilities that are in the low threat level including ICMP Timestamp Request Remote Date Disclosure, SSH Server CBC Mode Ciphers Enabled, , Cookie No HttpOnly Flag and Cookie without SameSite Attribute. These findings can provide valuable insight for website managers in strengthening security systems and reducing the risk of cyber attacks in the future.

Downloads

Download data is not yet available.

References

Saefullah, “Pengaruh Kemajuan Teknologi Komunikasi dan Informasi Terhadap Karakter Anak,” BDK Jakarta, 2020. Accessed: Aug. 29, 2024. [Online]. Available: https://bdkjakarta.kemenag.go.id/pengaruh-kemajuan-teknologi-komunikasi-dan-informasi-terhadap-karakter-anak/

M. Guntur, “Perencanaan Keamanan dalam Pengembangan Sistem Informasi,” Kemenkeu Learning Center, Jakarta, pp. 1–7, 2021. Accessed: Sep. 02, 2024. [Online]. Available: https://klc2.kemenkeu.go.id/kms/knowledge/perencanaan-keamanan-dalam-pengembangan-sistem-informasi-1b26a827/detail/

T. Yuniarto, “Tantangan Keamanan Siber Indonesia: Ancaman dan Dampaknya,” Harian Kompas, Banten, 2024. Accessed: Sep. 02, 2024. [Online]. Available: https://kompaspedia.kompas.id/baca/paparan-topik/tantangan-keamanan-siber-indonesia-ancaman-dan-dampaknya

and A. S. B. S. H. Shaikh, A. P. Datir, “Cyber security in the age of digital transformation,” IRE Journals, vol. 7, no. 12, pp. 463–468, 2024.

E. A. Altulaihan, A. Alismail, and M. Frikha, “A Survey on Web Application Penetration Testing,” Electronics, vol. 12, no. 5, p. 1229, Mar. 2023, doi: 10.3390/electronics12051229.

K. A. Scarfone, M. P. Souppaya, A. Cody, and A. D. Orebaugh, “Technical guide to information security testing and assessment.,” Gaithersburg, MD, 2008. doi: 10.6028/NIST.SP.800-115.

E. Z. D. Darojat, E. Sediyono, and I. Sembiring, “Vulnerability Assessment Website E-Government dengan NIST SP 800-115 dan OWASP Menggunakan Web Vulnerability Scanner,” J. Sist. Inf. Bisnis, vol. 12, no. 1, pp. 36–44, 2022, doi: 10.21456/vol12iss1pp36-44.

Y. A. Pohan, Y. Yunus, and Sumijan, “Meningkatkan Keamanan Webserver Aplikasi Pelaporan Pajak Daerah Menggunakan Metode Penetration Testing Execution Standar,” J. Sistim Inf. dan Teknol., vol. 3, no. 1, pp. 1–6, 2021, Accessed: Sep. 07, 2024. [Online]. Available: https://doi.org/10.37034/jsisfotek.v3i1.36

M. D. Al Vriano, “Pengujian keamanan website dengan teknik penetration testing berbasis OWASP Top 10 studi kasus subdomain UPNJATIM,” Kohesi J. Sains dan Teknol., vol. 1, no. 6, pp. 91–100, 2023, doi: 10.3785/kjst.v1i6.522.

W. Wardana, Almaarif, and A. Widjajarto, “Vulnerability Assessment and Penetration Testing On The Xyz Website Using Nist 800-115 Standard,” Syntax Lit. J. Ilm. Indones., vol. 7, no. 1, pp. 520–529, 2022, doi: 10.36418/syntax-literate.v7i1.5800.

F. Fachri, A. Fadlil, and I. Riadi, “Analisis Keamanan Webserver Menggunakan Penetration Test,” J. Inform., vol. 8, no. 2, pp. 183–190, 2021, Accessed: Sep. 07, 2024. [Online]. Available: https://doi.org/10.31294/ji.v8i2.10854

Yel Mesra Betty dan Nasution Mahyuddin K. M., “Keamanan informasi data pribadi pada media sosial,” J. Infromatika Kaputama, vol. 6, no. 1, pp. 92–101, 2022, [Online]. Available: https://www.academia.edu/download/112035091/68.pdf

I. Nedyalkov, “Study the Level of Network Security and Penetration Tests on Power Electronic Device,” Computers, vol. 13, no. 3, p. 81, Mar. 2024, doi: 10.3390/computers13030081.

Aristian and W. Cholil, “Analisis Vulnerability Terhadap Website Lembaga Bahasa LIA Palembang Menggunakan Nessus, Netsparker dan Acunetic,” J. Pendidik. Dan Konseling, vol. 4, no. 4, pp. 2459–2473, 2022, doi: https://doi.org/10.31004/jpdk.v4i4.5821.

W. Wahidin, D. N. Rahayu, and R. M. Yulianto, “Analisis Kerentanan Situs Web KopKar Syariah PT BSIN menggunakan OWASP Zed Attack Proxy,” J. Interkom J. Publ. Ilm. Bid. Teknol. Inf. dan Komun., vol. 18, no. 4, pp. 25–31, 2024, doi: https://doi.org/10.35969/interkom.v18i4.321

C. Kar Yee and M. F. Zolkipli, “Review on Confidentiality, Integrity and Availability in Information Security,” J. ICT Educ., vol. 8, no. 2, pp. 34–42, Jul. 2021, doi: 10.37134/jictie.vol8.2.4.2021.

S. Anwar, M. R. Katili, and I. R. Padiku, “Penerapan Algoritma Dijkstra dalam Perancangan Sistem Informasi Pencarian dan Penyewaan Kamar Kost Berbasiskan Web,” J. Syst. Inf. Technol., vol. 4, no. 2, pp. 1–11, 2024, Accessed: Sep. 07, 2024. [Online]. Available: https://siskp.informatika.ft.ung.ac.id/assets/jurnal/20240704150223.pdf

G. D. Singh, Kali Linux, 1st ed., vol. 1. Kompjuter Biblioteka, 2023. Accessed: Sep. 08, 2024. [Online]. Available: https://kombib.rs/preuzimanje/pog/562_KALI_LINUX_promo.pdf

I. R. Dhaifullah, M. Muttanifudin, A. A. Salsabila, and M. A. Yakin, “Survei teknik pengujian software,” J. Autom. Comput. Inf. Syst., vol. 2, no. 1, pp. 1–8, 2022, [Online]. Available: https://jacis.pubmedia.id/index.php/jacis/article/view/42

Annu and Anil Dudy, “Review of the OSI Model and TCP/IP Protocol Suite on Modern Network Communication,” Int. J. Curr. Sci. Res. Rev., vol. 07, no. 02, pp. 1230–1239, Feb. 2024, doi: 10.47191/ijcsrr/V7-i2-41.