2023 International

2023 International
ConferenceConference
on Information
on Information
TechnologyTechnology
and Computing
and Computing
(ICITCOM),(ICITCOM)
1-2 December 2023

Security Analysis on Websites belonging to the

Health Service Districts in Indonesia based on the
Open Web Application Security Project (OWASP)
Top 10 2021
Ayu Choiriyah Nurul Qomariasih
Cybersecurity Department Cryptography Engineering
National Cyber and Crypto Agency National Cyber and Crypto Polytechnic
Jakarta, Indonesia Bogor, Indonesia
2023 International Conference on Information Technology and Computing (ICITCOM) | 979-8-3503-5963-3/23/$31.00 ©2023 IEEE | DOI: 10.1109/ICITCOM60176.2023.10442816

[email protected] [email protected]

Abstract—In August 2022, the Directorate of Cyber Security 3.26 GB with the file name "sample medic", then this leak
Operations, National Cyber and Crypto Agency received the is valid and happened. Meanwhile, the hacker admitted that
most complaints about cybercrime. Of these complaints, there the data came from the central server of the Indonesian
were more than 100 hacking cases, which were dominated by Ministry of Health and it was also reported that the data
the local government sector. In the same year, there was a leak
was last taken on December 28, 2021 [3]. In August 2022,
of medical sample data belonging to the Central Government
of the Republic of Indonesia’s Ministry of Health. So, this the Directorate of Cyber Security Operations received the
research aims to analyze the security of a website belonging to most complaints about cybercrime, namely 5 complaints,
the health service of one of the districts in Indonesia. There with details about 2 complaints about ransomware,
were eleven vulnerabilities discovered and successfully followed by 2 complaints about phishing and 1 complaint
classified using the OWASP Top 10 2021. Of the eleven about web defacement [4]. There were 148 hacking cases,
vulnerabilities discovered, nine vulnerabilities were dominated by the local government sector. It is also known
successfully exploited by following the WSTG 4.2 guidelines. that the highest hacking activity occurred on 5 and 9
By using the OWASP Risk Assessment Calculator, four August 2022, reaching 18 cases [4].
vulnerabilities have a medium severity level and five others
The Ministry of Health has branches in each region
have a low severity level. Based on these findings,
recommendations for improving each vulnerability are given. called regional health offices. Each regional health service
has a website that contains information related to public
Keywords—security analysis, penetration testing, OWASP health, and several websites belonging to regional health
Top 10 2021, OWASP WSTG v4.2, vulnerability assessment, services are also still in the development stage because they
website have only just been integrated with the go.id domain. Apart
from that, the website that will be used as research belongs
I. INTRODUCTION to an area with a zone-h domain, namely a website that was
In 2021, there were 5,940 cases of attacks on websites hit by a web defacement attack in 2012. Based on several
in the form of web defacement, and in one year the most existing facts, it is necessary to detect vulnerabilities and
cases occurred in March, reaching 727 cases [1]. When understand what risks the website may face in the future.
receiving reports of web defacement cases in Indonesia, the This can be done with a security analysis to improve web
Cyber Security Operations Directorate conducted a security security and be an anticipatory step to identify early
gap analysis to find out what the defacer might have done. potential risks before they occur. Security analysis includes
The analysis was carried out by grouping based on sector two main stages, namely the Vulnerability Assessment
distribution consisting of academic, private, local (VA) stage and the Penetration Testing (PT) stage which is
government, central government, legal, personal, school, carried out to design, improve, and manage the security of a
organization, military, and health. Then, the time of website [5]. Vulnerability assessment will be carried out by
occurrence is throughout 2021, and the web page affected is scanning web vulnerabilities and then classifying them
generally the homepage [1]. From this analysis, the results based on the Open Web Application Security Project
showed that the regional government was ranked third with (OWASP) Top 10 2021. Next, penetration testing will be
1,097 web defacement cases [1]. According to data released carried out to prove the results of the vulnerabilities found.
by the Indonesia Security Incident Response Team on The results of this research are a list of vulnerabilities and
Internet Infrastructure (ID SIRTII) in 2017, government recommendations for improvement on the website of the
websites with the domain go.id were the most frequently regional health service (XYZ.go.id). So, this research can
attacked by hackers. Incidents of attacks on government be a guideline for improving and making the regional health
websites reached 3,783 times or 24.43% [2]. In early 2022, department's website better.
the alleged leak of data belonging to Indonesian health
patients occurred again. This data allegedly belongs to the II. LITERATURE REVIEW
Ministry of Health of Indonesia and according to the Chair A. Security Analysis
of the CISSReC Cyber Security and Communication
Security analysis on websites includes two main stages,
Research Institute, if we look at the data sample provided of
Vulnerability Assessment (VA) and Penetration Testing

Authorized licensed use limited to: Edinburgh Napier University. Downloaded on March 25,2024 at 10:43:49 UTC from IEEE Xplore. Restrictions apply.
979-8-3503-5963-3/23/$31.00 ©2023 IEEE 267
 2023 International
2023 International
ConferenceConference
on Information
on Information
TechnologyTechnology
and Computing
and Computing
(ICITCOM),(ICITCOM)
1-2 December 2023

(PT) which are carried out to design, manage, and improve use of insecure default configurations or credentials, open
the security of a website [5]. Some tools that are usually clouds, improper configuration of HTTP headers, and error
used to carry out vulnerability assessments are Nmap and messages containing sensitive information.
OWASP ZAP [6]. Vulnerability assessment and penetration 6) A06:2021-Vulnerable and Outdated Components:
testing are done by referring to Patel [7]. This vulnerability can be exploited by attackers to retrieve
Some of the tools used in VA and PT are: sensitive data and even take over the server.
1) Whois: used to find out the domain ID, domain 7) A07:2021-Identification and Authentication
validity period, domain status, and number of servers [6] Failures: This vulnerability occurs when existing
2) Netcraft: Netcraft is used to view hosting history authentication and session management functionality is
records, network information, and web rackers related to implemented incorrectly.
this site and its technology [8] 8) A08:2021-Software and Data Integrity Failures:
3) Geo Data tool: used to determine the geographical This vulnerability is related to failure to ensure that the
location of a host software and data used in a system or application remain
4) Nmap: Nmap is used to find out which port services accurate, complete, reliable, and protected from threats or
are open damage.
5) OWASP ZAP: in the vulnerability scanning process, 9) A09:2021-Security Logging and Monitoring
the OWASP ZAP v 2.12.0 tool is used to help find Failures: If integration is not effective with incident
vulnerabilities automatically in web applications [6],[9] response, it can increase the risk of attacks that can occur
6) Nikto: Nikto is used to help scan for vulnerabilities because it will give attackers enough time to damage,
on the web server extract, or destroy data, and do things that have an impact
7) Burpsuite: is used for security testing of web on other serious.
applications by providing an overview of functionality and 10) A10:2021-Server-Side Request Forgery: This
content from related websites [9], [10] vulnerability occurs when a web application retrieves a
8) Sqlmap: is a tool that functions to identify and exploit remote resource without first validating the URL provided
SQL injection vulnerabilities in web applications by the user. This allows attackers to force applications to
9) Clickjacker.io: is a tool that allows users to test target send crafted requests to unexpected destinations, even when
websites to see if they are vulnerable to attacks clickjacking protected by a firewall, VPN, or other type of Access
[9] Control List (ACL).
10) Observatory Mozilla: This service does a series of
tests to evaluate several security aspects of a website,
C. Penetration Testing
including SSL/TLS configuration, HTTP security headers,
encryption content, and other security settings [11] Penetration testing can be interpreted as the process of
11) SSL Laboratory: this tool is used to check impersonating an attacker to look for security vulnerabilities
SSL/TLS certificates, protocols supported by servers, in a system or network [7]. Table I explains the comparative
encryption configurations, and several other security results of each penetration testing test method.
features on websites.
TABLE I. COMPARATIVE ANALYSIS OF PENETRATION TEST
B. Open Web Application Security Project (OWASP) METHODOLOGIES [13]
Top 10 2021
The OWASP Open Web Application Security Project
Integra-
Top 10 2021 is a standard that contains a list of Focus Ea tion of
vulnerabilities with a focus on identifying the most Last sy the
Metho- To
dangerous and most common web application security risks dology
revis
ols
to contect
in organizations [12]. The vulnerabilities according to the ed us of IS/IT
Mana e mana-
OWASP Top 10 2021 are explained as follows [12]: geme
High
Techn
level gement
1) A01:2021-Broken Access Control nt ical
This attack can be exploited by attackers to gain OSSTM
unauthorized access, including accessing and changing user 2010 No Yes No No No No
M
accounts, sensitive data, user data, and other things. ISSAF 2006
Parti-
Yes Yes Yes No Partially
ally
2) A02:2021-Cryptographic Failures: This
vulnerability occurs when web applications and APIs fail to PTES 2014 No Yes Yes Yes Yes No
protect sensitive data such as personal data, financial OWASP 2014 No Yes Yes Yes Yes No
information, health service data, and other crucial data. NIST SP
2008 No Yes No No Yes No
3) A03:2021-Injection: Injection attacks can occur on 800-115
databases, operating systems, or servers via protocols such
as LDAP. Based on these comparison results, PTES and OWASP
4) A04:2021-Insecure Design: One of the factors that are easy to use and the newest methods. For this reason,
can cause this attack to occur is the lack of a business risk penetration testing was carried out in this research using the
profile for the system being developed, which then becomes OWASP method. However, OWASP has released a newer
a failure to determine the level of security design required. method as a guide for penetration testing, namely OWASP
5) A05:2021-Security Misconfiguration: These WSTG v 4.2. so, the penetration testing stage is carried out
vulnerabilities are the most common, usually caused by the using the OWASP WSTG v 4.2 method [6], [9], [10].

Authorized licensed use limited to: Edinburgh Napier University. Downloaded on March 25,2024 at 10:43:49 UTC from IEEE Xplore. Restrictions apply.
268
 2023 International
2023 International
ConferenceConference
on Information
on Information
TechnologyTechnology
and Computing
and Computing
(ICITCOM),(ICITCOM)
1-2 December 2023

The stages in carrying out penetration testing on web

applications according to OWASP WSTG v 4.2 consist of
12 stages: [14]
1) Information gathering
2) Configuration and deployment management testing
3) Identity management testing
4) Authentication testing
5) Authorization testing
6) Session management testing Fig. 1. Website Architecture Reprocessed from [16]
7) Input validation testing
8) Testing for error handling Vulnerabilities can be exploited to steal data and also
9) Testing for weak cryptography spread malicious content [17].
10) Business logic testing
11) Client-side testing
PLANNING
12) API testing Determined that the website of one of the regional
health services in Indonesia (XYZ Regional Health
Department) would undergo a security analysis to
D. OWASP Risk Rating Methodology prevent hacking
OWASP Risk Rating Methodology is a methodology for VULNERABILITY
calculating the estimated level or extent of the risks found so ASSESSMENT
Information Gathering
that they can then be used as material for decision-making Using several tools: Whois, Netcraft, Geo Data Tool,
and action by the organization. Nmap
The OWASP Risk Rating Calculator will produce two
values for each threat, namely Likelihood Score and Impact
Score with a scale divided into three parts as in Table II Scanning
[15]. Vulnerability scanning of the XYZ regional health
service website using OWASP ZAP tools version
2.12.0 and Nikto v2.5.0 for automatic scanning
TABLE II. RISK LEVEL LIKELIHOOD AND IMPACT methods [7] [19].

Likelihood Impact Level Risk Severity

Vulnerability Mapping
0 to <3 0 to <3 Low Vulnerability classification using OWASP Top 10
2021
3 to <6 3 to <6 Medium

6 to 9 6 to 9 High
PENETRATION TESTING
validating correctness against previously discovered
To estimate the overall impact of existing risks and vulnerabilities [20] using OWASP WSTG v 4.2
guideline and risk assessment referring to the OWASP
threats, an assessment is used which can be seen in Table III Risk Rating Methodology
[15].
TABLE III. RISK LEVEL LIKELIHOOD AND IMPACT
REPORTING
Report document containing proof of vulnerability in
Likelihood the form of a confusion matrix and recommendations
for repairing vulnerabilities
Low Medium High

Low Note Low Medium

Impact Medium Low Medium High Fig. 2. Research Design Reprocessed from Patel [7]
High Medium High Critical
This website belonging to the XYZ regional health
service has several features, namely a profile containing the
history and organizational structure. News feature that
III. RESEARCH METHODOLOGY
contains information and activities carried out. Then there is
The research model for carrying out this security analysis a network feature that contains a list of Regional Unit
follows research conducted by Patel [7] which was then Hospitals/Hospitals and Community Health Center Regional
reprocessed according to the research conditions. Fig.2. is the Technical Implementation Units. There is also a public
result of a modification of the security analysis stages information feature that contains information regarding
consisting of Patel's vulnerability assessment and penetration health worker licensing, optical practice, physiotherapist
testing [7] which is used in this research. practice, and clinic permits. Apart from that, there is a
The designed system architecture is shown in Fig. 1. A Covid-19 infographic feature which contains Covid-19 data,
web vulnerability is a weakness or misconfiguration on a and features that connect with the provincial Health Office
website that allows an attacker to gain control of the target and the Ministry of Health of the Republic of Indonesia.
system. According to the zone-h site in 2012 there was web
defacement on the domain XYZ.go.id as shown in Fig. 3.

Authorized licensed use limited to: Edinburgh Napier University. Downloaded on March 25,2024 at 10:43:49 UTC from IEEE Xplore. Restrictions apply.
269
 2023 International
2023 International
ConferenceConference
on Information
on Information
TechnologyTechnology
and Computing
and Computing
(ICITCOM),(ICITCOM)
1-2 December 2023

Meanwhile, through the Nmap tool, information about

open ports is obtained, namely port 21 which is an FTP port,
port 53 which is a DNS port, port 80 which is an HTTP/web
server port, port 110 which is a POP3 port, port 143 which is
an IMAP port, and port 443 which is the HTTPS port.
Apart from that, the geo data tool provides host location
information as shown in Fig. 4.

Fig. 3. Attack Against XYZ.go.id Domain

IV. RESULT AND DISCUSSION

Based on information gathering activities on the regional
health service website XYZ.go.id using Whois based on URL Fig. 4. Host location
and IP address, and Netcraft; information was obtained from
A. Scanning and Mapping Vulnerabilities
the following parameters (Table IV):
Based on this scanning, eleven vulnerabilities were
TABLE IV. INFORMATION OBTAINED FROM WHOIS AND found from the OWASP ZAP tool and four vulnerabilities
NETCRAFT from the Nikto tool. From the classification results, there are
two vulnerabilities with code A01:2021 Broken Access
Whois Netcraft Control, two vulnerabilities with code A03:2021 Injection,
URL IP address six vulnerabilities with code A05:2021 Security
Domain ID IP Location Site Title Misconfiguration, and one vulnerability with code
Autonomous
A08:2021 Software and Data Integrity Failures. Table VI is
Domain Name Date First Seen the result of vulnerability classification based on the
System Number
Created On Resolve Host Netcraft Risk Rating OWASP Top 10 2021 (Table V).
Last Updated On Whois Server Site TABLE V. VULNERABILITY FINDING WITH OWASP ZAP AND
Expiration Date IP Address Domain NIKTO TOOLS

Status inetnum Server Name

Category Tools
Sponsoring Registrar No.
netname Network Owner
Organization OWASP Top 10 2021 OWASP ZAP Nikto
Sponsoring Registrar Absence of Anti-
descr Hosting Company -
Street A01:2021-Broken CSRF Tokens
1.
Sponsoring Registrar Access Control Cookie without
country IPv4 Address -
City SameSite Attribute
Sponsoring Registrar admin-c dan A02:2021-
Reverse DNS
Province tech-c. 2. Cryptographic - -
Sponsoring Registrar Failures
abuse-c SSL/TLS
Postal Code SQL Injection -
Sponsoring Registrar SQLite -
status SPF Record
Country 3. A03:2021-Injection SQL Injection-
Sponsoring Registrar Hypersonic SQL - -
mnt-by DMARC Record
Phone Time Based
Sponsoring Registrar A04:2021-Insecure
mnt-irt Server-Side 4. - -
Email Design
Server Name last-modified Client-Side Content Security
Policy (CSP) -
DNSSEC source Client-Side Scripting Header Not Set
Missing Anti- The anti-
Frameworks
clickjacking Header clickjacking X-
Blog Frame-Options
header is not
PHP Application A05:2021-Security
5. present
Misconfiguration
RSS Feed Secure Pages
Include Mixed -
Character Encoding Content
Strict-Transport- The Strict-
HTTP Compression
Security Header Not Transport-
Set Security header
Not Set is not

Authorized licensed use limited to: Edinburgh Napier University. Downloaded on March 25,2024 at 10:43:49 UTC from IEEE Xplore. Restrictions apply.
270
 2023 International
2023 International
ConferenceConference
on Information
on Information
TechnologyTechnology
and Computing
and Computing
(ICITCOM),(ICITCOM)
1-2 December 2023

Category
Category Tools Validation Severity
No. No. OWASP Vulnerability
OWASP Top 10 2021 OWASP ZAP Nikto status Level
Top
defined
10:2021
X-Content-Type- The X-Content- X-Content-Type- True-positive Low
Options Header Type-Options 9. A05:2021 Options
Missing header is not Header Missing
set
Server Leaks Server banner Cross-Domain True-positive Low
A08:2021
Version Information changed from 10. JavaScript
via "Server" HTTP "LiteSpeed" to
Source File Inclusion
Response Header "imunify360-
Field webshield/1.18" Server Leaks True-positive Low
A06:2021-Vulnerable Version
A05:2021 Information via
6. and Outdated - -
Components "Server"HTTP
A07:2021- 11. Response
Identification and Header
7. - -
Authentication Field
Failures
A08:2021-Software Cross-Domain
8. and Data Integrity JavaScript Source - Based on a risk assessment using the OWASP Risk
Failures File Inclusion Assessment Calculator on nine vulnerabilities that were
A09:2021-Security proven to be exploitable at the penetration testing stage, it
9. Logging and - -
Monitoring Failures
was found that four vulnerabilities had a medium severity
A10:2021-Server- level, and five vulnerabilities had a low severity level. This
10. - -
Side Request Forgery vulnerability level assessment aims to determine repair
priorities on the website belonging to the regional health
B. Penetration Testing service (XYZ.go.id) so that it can be repaired immediately.
The results obtained from the average likelihood factors C. Reporting
and impact factors are then matched as in Table VI Overall This stage contains recommendations for improvements
Risk Severity Level to obtain the final result in the form of based on the OWASP ZAP scanning report and the IT
the severity level of each vulnerability. Security Assessment Vulnerability Dictionary [18].
The following recommendations are listed in Table VII:
TABLE VI. VULNERABILITY FINDINGS VALIDATION RESULTS
TABLE VII. IMPROVEMENT RECOMMENDATIONS
Category
No. OWASP Vulnerability Validation Severity
status Level No. Vulnerability Recommendations
Top Implement Anti-CSRF Tokens by ensuring
10:2021 their use for every action that changes data or
has an impact on applications. Each user must
A03:2021 SQL Injection - SQLite False- - also have a unique, dynamically generated
1.
positive CSRF token for each session.
Store CSRF [1] tokens in the session server to
A03:2021 SQL Injection - False- -
prevent Cross-Site Scripting (XSS) attacks
2. Hypersonic positive that can retrieve CSRF tokens from cookies.
SQL - Time Based Absence of Validate CSRF tokens on requests where
1. Anti-CSRF every time a user sends a request that can
A01:2021 Absence of Anti-CSRF True-positive Medium Tokens change data, the server must verify the CSRF
3. Tokens token sent by the user with the CSRF token on
the server session.
A05:2021 Content Security Policy True-positive Medium Set the SameSite attribute on application
4. cookies to "Strict" or "Lax" to help protect
(CSP) Header Not Set
against CSRF attacks by limiting cookie
access to only requests originating from the
A05:2021 Missing Anti-clicjacking True-positive Medium same site. For example, by using the PHP
5. Header programming language
Set a CSP Header on the web server stating a
Content
Cookie without True-positive Medium clear security policy about what resources are
A01:2021 Security
and are not allowed to be loaded on the page.
6. SameSite 2. Policy (CSP)
Use CSP Report-Only Mode to report
Attribute Header Not
potential policy violations without
Set
Secure Pages Include True-positive Low implementing countermeasures.
A05:2021 Implement HTTP Content-Security-Policy and
7. Mixed Missing Anti-
X-Frame-Options headers.
3. clicjacking
Content Set the X-Frame-Options header with the
Header
value "SAMEORIGIN" or "DENY".
Strict-Transport- True-positive Low
A05:2021
8. Security
Header Not Set

Authorized licensed use limited to: Edinburgh Napier University. Downloaded on March 25,2024 at 10:43:49 UTC from IEEE Xplore. Restrictions apply.
271
 2023 International
2023 International
ConferenceConference
on Information
on Information
TechnologyTechnology
and Computing
and Computing
(ICITCOM),(ICITCOM)
1-2 December 2023

No. Vulnerability Recommendations REFERENCES

Set the SameSite attribute on the cookie
according to the website's requirements. The [1] Direktorat Operasi Keamanan Siber, Laporan Tahunan
SameSite attribute can be set as "Strict" (the Monitoring Keamanan Siber 2021. Jakarta Selatan, 2021.
cookie will only be sent if the request comes [2] Tim Litbang MPI, “3 Website Indonesia yang Jadi Incaran
from the same website) or "Lax" (the cookie Hacker, Nomor 1 Milik Negara.” Accessed: Oct. 17, 2022.
will be sent if the request comes from a link [Online]. Available:
Cookie
within the same website or if the request is https://nasional.okezone.com/read/2022/07/31/337/2639610/3-
without
4. "top-level" by user). website- indonesia-yang-jadi-incaran-hacker-nomor-1-milik-
SameSite
Ensure input received from users or external negara
Attribute
sources is properly validated to prevent XSS [3] I. Dewi, “Dugaan Kebocoran Data Pasien Milik Kemenkes, Ini
attacks. Kata Pakar Keamanan Siber.” Accessed: Oct. 17, 2022. [Online].
Implement CSP to control the resources Available:
allowed on web pages and help protect against https://techno.okezone.com/read/2022/01/07/54/2528693/dugaan-
XSS attacks and the use of cookies from kebocoran-data-pasien-milik-kemenkes-ini-kata-pakar-
unauthorized sites. keamanan-siber
Ensure that pages should not contain any [4] Direktorat Operasi Keamanan Siber, “Laporan Bulanan Publik
content transmitted over unencrypted HTTP. Hasil Monitoring Keamanan Siber,” www.idsirtii.or.id.
Secure Pages Pages must not contain any content sent via [5] R. A. G. G. dan A. H. S. R. B. P. Zen, “Analisis Security
Include unencrypted HTTP including from third-party Assessment Menggunakan Metode Penetration Testing dalam
5.
Mixed sites. Menjaga Kapabilitas Keamanan Teknologi Informasi Pertahanan
Content Implement appropriate Content-Security- Negara,” Jurnal Teknologi Penginderaan, vol. 2, no. 1, 2020.
Policy (CSP) Headers to control the resources [6] M. S. S. Wardaya, “Skripsi Penetration Testing Terhadap
allowed on the page. Website Asosiasi Pekerja Professional Informasi Sekolah
Strict- Configure the webserver to send HSTS Indonesia (APISI),” 2019.
Transport- headers in HTTP responses and include a [7] K. Patel, “A Survey on Vulnerability Assessment & Penetration
6. Security security policy that instructs the browser to Testing for Secure Communication,” in Proceedings of the Third
Header Not always use HTTPS for a specified period. International Conference on Trends in Electronics and
Set Thoroughly test HSTS header settings. Informatics (ICOEI), 2019, pp. 23–25.
[8] R. S. Devi dan M. M. Kumar, “Testing for Security Weakness of
Set the "X-Content-Type-Options" header in Web Applications using Ethical Hacking,” in Proceedings of the
the HTTP response with the value "nosniff" 4th International Conference on Trends in Electronics and
X-Content- for all web pages. Informatics (ICOEI), 2020, pp. 15–17.
Type-Options Use automation tools to regularly check and [9] D. S. Irawan, “Pengujian Keamanan Sistem Informasi Berbasis
7.
Header verify X-Content-Type-Options header Web Berdasarkan Dokumen OWASP WSTG v4.2 (Studi Kasus:
Missing settings. This tool can help identify Sistem Informatics Expo Universitas Islam Indonesia),” 2022.
configuration errors or deficiencies in header [10] H. B. S. dan W. W. A. I. Rafeli, “Pengujian Celah Keamanan
settings across websites. Menggunakan Metode OWASP Web Security Testing Guide
Cross- Make sure to only load JavaScript scripts from (WSTG) pada Website XYZ,” Jurnal Informatik, vol. 18, no. 2,
Domain truly trusted and verified sources. 2022.
8. JavaScript Use appropriate Content-Security-Policy [11] P. Felt, “Measuring HTTPS Adoption on the Web,” in
Source File (CSP) Headers to control the origins of Proceedings of the 26th USENIX Security Symposium, 2017, pp.
Inclusion permitted resources within the website. 1323–1338.
Ensure that the web server is configured in a [12] OWASP Foundation, The OWASP Top 10. 2022.
Server Leaks way that does not reveal information about the [13] T. Klíma, “PETA: Methodology of Information Systems Security
Version software version or technology used through Penetration Testing,” Acta Informatica Pragensia, vol. 5, no. 2,
Information the "Server" header or other HTTP response pp. 98–117, Dec. 2016, doi: 10.18267/j.aip.88.
9. via "Server" headers. [14] E. Saad dan R. Mitchell, Web Security Testing Guide. owasp.org,
HTTP Use Web Application Firewall (WAF) 2022.
Response Security to identify and block exploit attempts [15] OWASP Foundation, “OWASP Risk Rating Methodology.”
Header Field aimed at exploiting vulnerabilities in specific Accessed: Dec. 10, 2022. [Online]. Available:
software versions. https://owasp.org/www-
community/OWASP_Risk_Rating_Methodology
[16] V. Appiah, M. Asante, I. K. Nti, and O. Nyarko-Boateng,
V. CONCLUSION “Survey of Websites and Web Application Security Threats
Using Vulnerability Assessment,” Journal of Computer Science,
vol. 15, no. 10, pp. 1341–1354, Oct. 2019, doi:
The conclusion of this research is: 10.3844/jcssp.2019.1341.1354.
1) This research was able to find eleven vulnerabilities [17] G. Krasniqi dan V. Bejtullahu, “Vulnerability Assessment &
Penetration Testing: Case study on web application security,”
on websites belonging to the regional health service in one of
UBT International Conference.
the districts in Indonesia. Of the eleven vulnerabilities, nine [18] Kelompok Fungsi Identifikasi dan Proteksi, “Kamus Kerentanan
were successfully exploited. Four vulnerabilities are listed as IT Security Assessment,” 2021.
medium severity and five as low. This research also provide [19] L. Zachariah dan S. Roy, “A Comparison Study of Penetration
recommendations to fix vulnerabilities that have proven to be Testing Tools in Linux,” Int J Sci Eng Res, vol. 10, no. 4, 2019.
[20] S. Nagpure and S. Kurkure, “Vulnerability Assessment and
true positives. Penetration Testing of Web Application,” in 2017 International
2) For further research, researchers can carry out Conference on Computing, Communication, Control and
security analysis using other methods or on website stagging Automation (ICCUBEA), IEEE, Aug. 2017, pp. 1–6. doi:
and use other vulnerability scanning tools to increase the 10.1109/ICCUBEA.2017.8463920.
number of vulnerabilities found for analysis.

Authorized licensed use limited to: Edinburgh Napier University. Downloaded on March 25,2024 at 10:43:49 UTC from IEEE Xplore. Restrictions apply.
272