Security Analysis of the Final Project Information System (SITASI) Website using Penetration Testing Method
The Final Project Information System (SITASI) website plays a critical role in supporting academic administrative processes at the Faculty of Science and Technology, UIN Sultan Syarif Kasim Riau. This study aims to evaluate the website’s security level following recent maintenance using penetration...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | Indonesian |
| Published: |
Islamic University of Indragiri
2025-09-01
|
| Series: | Sistemasi: Jurnal Sistem Informasi |
| Subjects: | |
| Online Access: | https://sistemasi.ftik.unisi.ac.id/index.php/stmsi/article/view/5406 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849247296311525376 |
|---|---|
| author | Rengga Renaldi Mona Fronita Tengku Khairil Ahsyar Muhammad Jazman |
| author_facet | Rengga Renaldi Mona Fronita Tengku Khairil Ahsyar Muhammad Jazman |
| author_sort | Rengga Renaldi |
| collection | DOAJ |
| description | The Final Project Information System (SITASI) website plays a critical role in supporting academic administrative processes at the Faculty of Science and Technology, UIN Sultan Syarif Kasim Riau. This study aims to evaluate the website’s security level following recent maintenance using penetration testing, conducted with the OWASP Zed Attack Proxy (ZAP) tool. The testing revealed eight vulnerabilities, including two classified as medium risk, four as low risk, and two informational. The medium-risk issues involved the absence of an Anti-CSRF token and the lack of a Content Security Policy (CSP), both of which could expose the system to attacks such as CSRF and XSS. The low-risk findings included loading JavaScript from third-party domains, information disclosure via X-Powered-By and Server headers, and the absence of HTTP Strict Transport Security (HSTS). The two informational findings involved suspicious comments in the code and improper Cache-Control settings. Remediation actions were implemented based on OWASP security best practices, including the integration of CSRF tokens, configuration of CSP and HSTS headers, and removal of sensitive information from server responses. A follow-up evaluation confirmed that all identified risks had been successfully mitigated. This study highlights that penetration testing combined with standard-based mitigation is effective in enhancing web application security resilience, particularly within academic environments. |
| format | Article |
| id | doaj-art-707ce89639ec42c6aa1d23bea384d288 |
| institution | Kabale University |
| issn | 2302-8149 2540-9719 |
| language | Indonesian |
| publishDate | 2025-09-01 |
| publisher | Islamic University of Indragiri |
| record_format | Article |
| series | Sistemasi: Jurnal Sistem Informasi |
| spelling | doaj-art-707ce89639ec42c6aa1d23bea384d2882025-08-20T03:58:15ZindIslamic University of IndragiriSistemasi: Jurnal Sistem Informasi2302-81492540-97192025-09-011452258226510.32520/stmsi.v14i5.54061182Security Analysis of the Final Project Information System (SITASI) Website using Penetration Testing MethodRengga Renaldi0Mona FronitaTengku Khairil AhsyarMuhammad JazmanUIN SUSKA RIAUThe Final Project Information System (SITASI) website plays a critical role in supporting academic administrative processes at the Faculty of Science and Technology, UIN Sultan Syarif Kasim Riau. This study aims to evaluate the website’s security level following recent maintenance using penetration testing, conducted with the OWASP Zed Attack Proxy (ZAP) tool. The testing revealed eight vulnerabilities, including two classified as medium risk, four as low risk, and two informational. The medium-risk issues involved the absence of an Anti-CSRF token and the lack of a Content Security Policy (CSP), both of which could expose the system to attacks such as CSRF and XSS. The low-risk findings included loading JavaScript from third-party domains, information disclosure via X-Powered-By and Server headers, and the absence of HTTP Strict Transport Security (HSTS). The two informational findings involved suspicious comments in the code and improper Cache-Control settings. Remediation actions were implemented based on OWASP security best practices, including the integration of CSRF tokens, configuration of CSP and HSTS headers, and removal of sensitive information from server responses. A follow-up evaluation confirmed that all identified risks had been successfully mitigated. This study highlights that penetration testing combined with standard-based mitigation is effective in enhancing web application security resilience, particularly within academic environments.https://sistemasi.ftik.unisi.ac.id/index.php/stmsi/article/view/5406penetration testingowasp zapwebsite security |
| spellingShingle | Rengga Renaldi Mona Fronita Tengku Khairil Ahsyar Muhammad Jazman Security Analysis of the Final Project Information System (SITASI) Website using Penetration Testing Method Sistemasi: Jurnal Sistem Informasi penetration testing owasp zap website security |
| title | Security Analysis of the Final Project Information System (SITASI) Website using Penetration Testing Method |
| title_full | Security Analysis of the Final Project Information System (SITASI) Website using Penetration Testing Method |
| title_fullStr | Security Analysis of the Final Project Information System (SITASI) Website using Penetration Testing Method |
| title_full_unstemmed | Security Analysis of the Final Project Information System (SITASI) Website using Penetration Testing Method |
| title_short | Security Analysis of the Final Project Information System (SITASI) Website using Penetration Testing Method |
| title_sort | security analysis of the final project information system sitasi website using penetration testing method |
| topic | penetration testing owasp zap website security |
| url | https://sistemasi.ftik.unisi.ac.id/index.php/stmsi/article/view/5406 |
| work_keys_str_mv | AT renggarenaldi securityanalysisofthefinalprojectinformationsystemsitasiwebsiteusingpenetrationtestingmethod AT monafronita securityanalysisofthefinalprojectinformationsystemsitasiwebsiteusingpenetrationtestingmethod AT tengkukhairilahsyar securityanalysisofthefinalprojectinformationsystemsitasiwebsiteusingpenetrationtestingmethod AT muhammadjazman securityanalysisofthefinalprojectinformationsystemsitasiwebsiteusingpenetrationtestingmethod |