Uncovering the Risk of Academic Information System Vulnerability through PTES and OWASP Method

Ferzha Putra Utama; Raden Muhammad Hilmi Nurhadi

doi:10.21512/commit.v18i1.9384

Authors

Ferzha Putra Utama University of Bengkulu https://orcid.org/0000-0001-8662-1040
Raden Muhammad Hilmi Nurhadi University of Bengkulu

DOI:

https://doi.org/10.21512/commit.v18i1.9384

Keywords:

Academic Information System Vulnerability, Penetration Testing Execution Standard (PTES), Open Web Application Security Project (OWASP)

Abstract

The security of academic information systems needs consideration to anticipate various threats, resulting in data leakage, misuse of information, modification, and data destruction. There are 36 public and private universities that utilize the academic information system provided by the software developed by Company XYZ. Limited resources in universities contribute to the weak handling of vulnerabilities in academic information systems. The research aims to determine the vulnerability level of academic information systems developed by Company XYZ through penetration testing. The research employs a deductive approach to explore academic system vulnerabilities based on incidents related to system security issues at a university. The research utilizes a combination of two testing methods: Penetration Testing Execution Standard (PTES) and Open Web Application Security Project (OWASP), chosen for their reliability, ease of use, and support by penetration testing tools. Penetration testing follows the PTES, involving seven steps: pre-engagement interaction, information collection, threat modeling, vulnerability analysis, exploitation, postexploitation, and reporting. The threat focus in the research aligns with the top 10 of 2021 OWASP, ranking the ten most critical security risks. Results reveal eight critical security issues based on measurements using the Common Vulnerability Scoring System (CVSS) method. There are two high-level vulnerabilities, five medium-level vulnerabilities, and one low-level vulnerability. Moreover, the three principal vulnerabilities are Structured Query Language (SQL) Injection, broken access control, and weak encryption. Universities can enhance data integrity by independently remediating vulnerabilities discovered in the research. Furthermore, universities are encouraged to raise awareness within the academic community regarding the security of academic data.

Dimensions

Plum Analytics

Author Biographies

Ferzha Putra Utama, University of Bengkulu

Information System Department, Faculty of Engineering

Raden Muhammad Hilmi Nurhadi, University of Bengkulu

Informatics Department, Faculty of Engineering

References

M. Kim and D. Kim, “A suggestion on the LDAbased topic modeling technique based on Elastic-Search for indexing academic research results,” Applied Sciences, vol. 12, no. 6, pp. 1–10, 2022.

A. Reis, P. Martins, J. Borges, A. Sousa, T. Rocha, and J. Barroso, “Supporting accessibility in higher education information systems,” in Universal Access in Human–Computer Interaction. Design and Development Approaches and Methods: 11th International Conference, UAHCI 2017. Springer, 2017, pp. 227–237.

R. Bruzgiene and K. Jurgilas, “Securing remote access to information systems of critical infrastructure using two-factor authentication,” Electronics, vol. 10, no. 15, pp. 1–18, 2021.

A. I. Kusumarini and H. B. Seta, “Information system security analysis to determine server security vul nerability with Penetration Testing Execution Standard (PTES) method at VWX University,” in 2021 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS. IEEE, 2021, pp. 7–12.

Q. Dai, “Designing an accounting information management system using big data and cloud technology,” Scientific Programming, vol. 2022, pp. 1–11, 2022.

H. Lu, Y. Zhu, Q. Lin, T. Wang, Z. Niu, and E. Herrera-Viedma, “Heterogeneous knowledge learning of predictive academic intelligence in transportation,” IEEE Transactions on Intelligent Transportation Systems, vol. 23, no. 4, pp. 3737–3755, 2020.

I. P. A. Sudrastawa and K. Y. E. Ayanto, “Sensitive personal data publication on higher education information system websites in Indonesia,” in 2019 2nd International Conference of Computer and Informatics Engineering (IC2IE). IEEE, 2019, pp. 93–98.

B. K. Yousafzai, S. A. Khan, T. Rahman, I. Khan, I. Ullah, A. Ur Rehman, M. Baz, H. Hamam, and O. Cheikhrouhou, “Student-performulator: Student academic performance using hybrid deep neural network,” Sustainability, vol. 13, no. 17, pp. 1–21, 2021.

Direktorat Operasi Keamanan Siber Badan Siber dan Sandi Negara, “Laporan Tahunan Monitoring Keamanan Siber 2021,” 2021. [Online]. Available: https://cloud.bssn.go.id/s/Lx8Ry3w2Ew3NJa7

A. B. Cengiz, G. Kalem, and P. S. Boluk, “The effect of social media user behaviors on security and privacy threats,” IEEE Access, vol. 10, pp. 57 674–57 684, 2022.

S. Zheng, Y. Wu, S. Wang, Y. Wei, D. Mu, H. He, D. Han, J. Liao, and H. Chen, “PTVis: Visual narrative and auxiliary decision to assist in comprehending the penetration testing process,” IEEE Access, vol. 8, pp. 194 523–194 540, 2020.

L. Wang, R. Abbas, F. M. Almansour, G. S. Gaba, R. Alroobaea, and M. Masud, “An empirical study on vulnerability assessment and penetration detection for highly sensitive networks,” Journal of Intelligent Systems, vol. 30, no. 1, pp. 592–603, 2021.

G. Canfora, A. Di Sorbo, S. Forootani, A. Pirozzi, and C. A. Visaggio, “Investigating the vulnerability fixing process in OSS projects: Peculiarities and challenges,” Computers & Security, vol. 99, 2020.

Candiwan, P. K. Sari, and N. Nurshabrina, “Assessment of information security management on indonesian higher education institutions,” in Advanced Computer and Communication Engineering Technology: Proceedings of ICOCOE 2015. Springer International Publishing, 2016, pp. 375–385.

I. G. N. Mantra, M. S. Hartawan, H. Saragih, and A. Abd Rahman, “Web vulnerability assessment and maturity model analysis on indonesia higher education,” Procedia Computer Science, vol. 161, pp. 1165–1172, 2019.

A. Almaarif and M. Lubis, “Vulnerability Assessment and Penetration Testing (VAPT) framework: Case study of government’s website,” International Journal on Advanced Science Engineering and Information Technology, vol. 10, no. 5, pp. 1874–1880, 2020.

D. Kellezi, C. Boegelund, and W. Meng, “Securing open banking with model-view-controller architecture and OWASP,” Wireless Communications and Mobile Computing, vol. 2021, pp. 1–13, 2021.

B. Ksiezopolski, K. Mazur, M. Miskiewicz, and D. Rusinek, “Teaching a hands-on CTF-based web application security course,” Electronics, vol. 11, no. 21, pp. 1–21, 2022.

K. B. Jalbani, M. Yousaf, M. S. Sarfraz, R. Jamili Oskouei, A. Hussain, and Z. Memon, “Poor coding leads to dos attack and security issues in web applications for sensors,” Security and Communication Networks, vol. 2021, pp. 1–11, 2021.

S. Ramanauskait˙e, N. Urbonait˙e, ˇ S. Grigali¯unas, S. Preidys, V. Trink¯unas, and A. Venˇckauskas, “Educational organization’s security level estimation model,” Applied Sciences, vol. 11, no. 17, pp. 1–19, 2021.

F. Z. Lidanta, A. Almaarif, and A. Budiyono, “Vulnerability analysis of wireless LAN networks using penetration testing execution standard: A case study of cafes in Palembang,” in 2021 International Conference on ICT for Smart Society (ICISS). IEEE, 2021, pp. 1–5.

J. R. B. Higuera, J. B. Higuera, J. A. S. Montalvo, J. C. Villalba, and J. J. N. P´erez, “Benchmarking approach to compare web applications static analysis tools detecting OWASP top ten security vulnerabilities,” Computers, Materials & Continua, vol. 64, no. 3, pp. 1555–1577, 2020.

J. Li, “Vulnerabilities mapping based on OWASPSANS: A survey for Static Application Security Testing (SAST),” Annals of Emerging Technologies in Computing (AETiC), vol. 4, no. 3, pp. 1–5, 2020.

F. M. Tudela, J.-R. Bermejo Higuera, J. Bermejo Higuera, J.-A. Sicilia Montalvo, and M. I. Argyros, “On combining static, dynamic and interactive analysis security testing tools to improve OWASP top ten security vulnerability detection in web applications,” Applied Sciences, vol. 10, no. 24, pp. 1–24, 2020.

A. Bhardwaj, S. B. H. Shah, A. Shankar, M. Alazab, M. Kumar, and T. R. Gadekallu, “Penetration testing framework for smart contract blockchain,” Peer-to-Peer Networking and Applications, vol. 14, pp. 2635–2650, 2021.

S. Y. Enoch, Z. Huang, C. Y. Moon, D. Lee, M. K. Ahn, and D. S. Kim, “HARMer: Cyber-attacks automation and evaluation,” IEEE Access, vol. 8, pp. 129 397–129 414, 2020.

J. Shahid, M. K. Hameed, I. T. Javed, K. N. Qureshi, M. Ali, and N. Crespi, “A comparative study of web application security parameters: Current trends and future directions,” Applied Sciences, vol. 12, no. 8, pp. 1–23, 2022.

S. Ibarra-Fiallos, J. B. Higuera, M. Intriago-Pazmi˜no, J. R. B. Higuera, J. A. S. Montalvo, and J. Cubo, “Effective filter for common injection attacks in online web applications,” IEEE Access, vol. 9, pp. 10 378–10 391, 2021.

M. N. Zakaria, P. A. Phin, N. Mohmad, S. A. Ismail, M. N. Kama, and O. Yusop, “A review of standardization for penetration testing reports and documents,” in 2019 6th International Conference on Research and Innovation in Information Systems (ICRIIS). IEEE, 2019, pp. 1–5.

M. Albahar, D. Alansari, and A. Jurcut, “An empirical comparison of pen-testing tools for detecting web app vulnerabilities,” Electronics, vol. 11, no. 19, pp. 1–25, 2022.

A. Shanley and M. N. Johnstone, “Selection of penetration testing methodologies: A comparison and evaluation,” in 13th Australian Information Security Management Conference, 2015, pp. 65–72.

A. Shanley, “Penetration testing frameworks and methodologies: A comparison and evaluation,” Master’s thesis, School of Science, Edith Cowan University, 2016.

R. Akhilesh, O. Bills, N. Chilamkurti, and M. J. M. Chowdhury, “Automated penetration testing framework for smart-home-based IoT devices,” Future Internet, vol. 14, no. 10, pp. 1–18, 2022.

S. Zhou, J. Liu, D. Hou, X. Zhong, and Y. Zhang, “Autonomous penetration testing based on improved deep Q-network,” Applied Sciences, vol. 11, no. 19, pp. 1–15, 2021.

Sufatrio, J. Vykopal, and E. C. Chang, “Collaborative paradigm of teaching penetration testing using real-world university applications,” in Proceedings of the 24th Australasian Computing Education Conference, 2022, pp. 114–122.

M. Alenezi, M. Nadeem, and R. Asif, “SQL injection attacks countermeasures assessments,” Indonesian Journal of Electrical Engineering and Computer Science, vol. 21, no. 2, pp. 1121–1131, 2021.

M. Liu, K. Li, and T. Chen, “DeepSQLi: Deep semantic learning for testing SQL injection,” in Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, 2020, pp. 286–297.

A. Valenza, L. Demetrio, G. Costa, and G. Lagorio, “WAF-A-MoLE: An adversarial tool for assessing ML-based WAFs,” SoftwareX, vol. 11, pp. 1–4, 2020.

A. Tedyyana, F. Ratnawati, E. Syam, and F. P. Putra, “Threat modeling in application security planning citizen service complaints,” Indonesian Journal of Electrical Engineering and Computer Science, vol. 28, no. 2, pp. 1020–1027, 2022.

A. Alanda, D. Satria, M. I. Ardhana, A. A. Dahlan, and H. A. Mooduto, “Web application penetration testing using SQL injection attack,” JOIV: International Journal on Informatics Visualization, vol. 5, no. 3, pp. 320–326, 2021.

Y. Jiang and Y. Atif, “A selective ensemble model for cognitive cybersecurity analysis,” Journal of Network and Computer Applications, vol. 193, pp. 1–16, 2021.

J. Brown, T. Saha, and N. K. Jha, “GRAVITAS: Graphical reticulated attack vectors for Internetof-things aggregate security,” IEEE Transactions on Emerging Topics in Computing, vol. 10, no. 3, pp. 1331–1348, 2021.

X. Ning and J. Jiang, “In the mind of an insider attacker on cyber-physical systems and how not being fooled,” IET Cyber-Physical Systems: Theory & Applications, vol. 5, no. 2, pp. 153–161, 2020.

J. Reyes, W. Fuertes, P. Ar´evalo, and M. Macas, “An environment-specific prioritization model for information-security vulnerabilities based on risk factor analysis,” Electronics, vol. 11, no. 9, pp. 1–24, 2022.

W. Wang, F. Shi, M. Zhang, C. Xu, and J. Zheng, “A vulnerability risk assessment method based on heterogeneous information network,” IEEE Access, vol. 8, pp. 148 315–148 330, 2020.

M. A. Hassan, Z. Shukur, and M. Mohd, “A penetration testing on Malaysia popular e-wallets and m-banking apps,” International Journal of Advanced Computer Science and Applications,

vol. 13, no. 5, pp. 692–703, 2022.

A. A. Tubis, S. Werbinska-Wojciechowska, M. G´oralczyk, A. Wroblewski, and B. Zietek, “Cyber-attacks risk analysis method for different levels of automation of mining processes in mines based on Fuzzy theory use,” Sensors, vol. 20, no. 24, pp. 1–23, 2020.

M. I. Lunesu, R. Tonelli, L. Marchesi, and M. Marchesi, “Assessing the risk of software development in agile methodologies using simulation,” IEEE Access, vol. 9, pp. 134 240–134 258, 2021.

Y. Kristiyanto and Ernastuti, “Analysis of deauthentication attack on IEEE 802.11 connectivity based on IoT technology using external penetration test,” CommIT (Communication and Information Technology) Journal, vol. 14, no. 1, pp. 45–51, 2020.

Y. Jiang and Y. Atif, “An approach to discover and assess vulnerability severity automatically in cyber-physical systems,” in 13th International Conference on Security of Information and Networks, 2020, pp. 1–8.

M. Keramati, “New vulnerability scoring system for dynamic security evaluation,” in 2016 8th International Symposium on Telecommunications (IST). IEEE, 2016, pp. 746–751.

K. Sridhar, A. Householder, J. Spring, and D. W. Woods, “Cybersecurity information sharing: Analysing an email corpus of coordinated vulnerability disclosure,” in The 20th Annual Workshop on the Economics of Information Security, 2021, pp. 1–39.

R. Anderson and B. Schneier, “Guest editors’ introduction: Economics of information security,” IEEE Security & Privacy, vol. 3, no. 1, pp. 12–13, 2005.

Q. Liu and Y. Zhang, “VRSS: A new system for rating and scoring vulnerabilities,” Computer Communications, vol. 34, no. 3, pp. 264–273, 2011.

R. Sharma and R. K. Singh, “An improved scoring system for software vulnerability prioritization,” Quality, IT and Business Operations: Modeling and Optimization, pp. 33–43, 2018.

S. Shamshad, F. Riaz, R. Riaz, S. S. Rizvi, and S. Abdulla, “An enhanced architecture to resolve public-key cryptographic issues in the Internet of Things (IoT), employing quantum computing supremacy,” Sensors, vol. 22, no. 21, pp. 1–23, 2022.

A. Fukami, R. Stoykova, and Z. Geradts, “A new model for forensic data extraction from encrypted mobile devices,” Forensic Science International: Digital Investigation, vol. 38, pp. 1–10, 2021.

S. Bae, S. Gros, and B. Kulcs´ar, “Can AI abuse personal information in an EV fast-charging market?” IEEE Transactions on Intelligent Transportation Systems, vol. 23, no. 7, pp. 8759–8769, 2021.

C. Gupta, R. K. Singh, and A. K. Mohapatra, “GeneMiner: A classification approach for detection of XSS attacks on web services,” Computational Intelligence and Neuroscience, vol. 2022, pp. 1–12, 2022.

K. Razikin and A. Widodo, “General cybersecurity maturity assessment model: Best practice to achieve Payment Card Industry-Data Security Standard (PCI-DSS) compliance,” CommIT (Communication and Information Technology) Journal, vol. 15, no. 2, pp. 91–104, 2021.

E. Mustikawati, D. Perdana, and R. M. Negara, “Network security analysis in VANET against black hole and jellyfish attack with Intrusion Detection System algorithm,” CommIT (Communication and Information Technology) Journal, vol. 11, no. 2, pp. 77–83, 2017.