Hasil Pencarian  ::  Simpan CSV :: Kembali

"Isu keamanan adalah topik yang sangat penting di dunia komputer dan jaringan internet karena ancaman terhadap sistem keamanan terus-menerus berkembang dan meningkat. Oleh karena itu, sistem keamanan terus diperbarui untuk menghadapi potensi terjadinya peretasan terhadap sistem komputasi, termasuk pada aplikasi web. Dengan diperbaruinya sistem keamanan aplikasi web, pengujian diperlukan untuk memastikan ketahanannya terhadap berbagai ancaman terbaru. Untuk memudahkan rangkaian kegiatan pengujian dengan adanya metode yang dapat direplikasi, penulis merancang Kerangka Uji ID OWASP WSTG Terstruktur, sebuah pendekatan berbasis OWASP Web Security Testing Guide versi v4.2 yang diterapkan pada pengujian aplikasi web. Pengujian yang dilakukan meliputi 21 ID OWASP WSTG berbeda dari segi autentikasi, konfigurasi, ekstraksi informasi, injeksi, hingga manajemen session. Dari ID-ID tersebut, penulis menemukan 6 kerentanan dengan nilai High, 8 kerentanan dengan nilai Medium, 5 kerentanan dengan nilai Low, dan 2 kerentanan dengan nilai Informational. ID OWASP WSTG yang dipilih sebagai poin pengujian juga memiliki kaitan dengan OWASP Top 10 (2021) sebagai referensi kerentanan yang banyak ditemukan dan ISO/IEC 27001:2022 sebagai referensi standar keamanan informasi. Hasil yang didapatkan menunjukkan relevansi dari penggunaan Kerangka Uji ID OWASP WSTG Terstruktur sebagai alur uji penetrasi menggunakan OWASP WSTG.

---

Security issues are a critical concern in the world of computing and the internet, as threats to system security continue to evolve and intensify. Consequently, security systems are constantly updated to defend against potential breaches in computing environments, including web applications. As web application security improves, testing becomes necessary to ensure resilience against emerging threats. To facilitate a replicable testing process, the author designed the Structured OWASP WSTG ID Testing Framework, an approach based on version 4.2 of the OWASP Web Security Testing Guide, applied to web application testing. The assessment covered 21 different OWASP WSTG IDs across authentication, configuration, information extraction, injection, and session management. Among these IDs, the author identified 6 vulnerabilities rated High, 8 rated Medium, 5 rated Low, and 2 rated Informational. The selected WSTG IDs were also mapped to relevant categories in the OWASP Top 10 (2021), a widely used reference for common vulnerabilities, and ISO/IEC 27001:2022, a standard for information security. The results demonstrate the relevance of using the Structured OWASP WSTG ID Testing Framework as a penetration testing workflow aligned with the OWASP WSTG methodology."

"Berkembang pesatnya teknologi informasi saat ini sejalan dengan berkembangnya aplikasi berbasis android dan website. Website umumnya digunakan sebagai media informasi dan komunikasi yang tentunya memiliki peran yang sangat penting. Namun, tidak menutup kemungkinan bahwa terdapat ancaman terkait dengan celah keamanan dari suatu website, baik kejahatan cyber, kebocoran data, pencurian data, dan merusak data maupun hanya ingin mengganggu system tersebut. Sebagai contoh pada website admin Digital Outlet yang merupakan pusat dari pengelolaan suatu website application. Dalam website admin tersebut telah tersimpan data dan informasi penting penggunanya yang bersifat sensitif. Maka, perlu adanya perhatian khusus terkait keamanan website tersebut. Pada penelitian ini akan dilakukan vulnerability assessment dan penetration testing pada situs website Digital Outlet menggunakan metode Information System Security Assessment Framework (ISSAF) dengan melakukan pengujian untuk mencari celah keamanan yang umum terjadi pada website tersebut, khususnya celah keamanan pada Broken Access Control, Cross Site Scripting (XSS), SQL Injection, dan sebagainya. Hasil dari penelitian analisis uji kerentanan yang diperoleh pada website Digital Outlet nantinya akan pergunakan untuk memperbaiki dan meningkatkan keamanan pada website tersebut serta menjadi salah satu referensi dalam memberikan rekomendasi terkait pengembangan framework Basic Development Framework (BDF) untuk management struktur rancang bangun suatu website yang baik dan aman. 

---

The rapid development of information technology is currently in line with the development of Android-based applications and website. Website are generally used as a medium of information and communication which of course has a very important role. However, it is possible that there are threats related to the security gaps of a website, both cyber crime, data leaks, data theft, and damage to data or just wanting to disrupt the system. For example, on the Digital Outlet admin website, which is the center of managing a website application. The admin website has stored important sensitive data and information on its users. So, there needs to be special attention regarding the security of the website. In this research, vulnerability assessment dan penetration testing will be carried out on the Digital Outlet website using the Information System Security Assessment Framework (ISSAF) method by conducting tests to find security holes that commonly occur on the website, especially security holes in Broken Access Control, Cross Site Scripting (XSS), SQL Injection, and so on. The results of the vulnerability test analysis research obtained on the Digital Outlet website will later be used to improve and increase security on the website and become a reference in providing recommendations related to the development of the Basic Development Framework (BDF) framework for the management structure of a good website design and build safe."

"Penggunaan internet terus meningkat dengan penggunaan untuk kepentingan yang makin beragam pula, termasuk dalam sebuah bisnis. Hal ini menyebabkan makin banyaknya pula data yang tersimpan dan terekspos di internet. Banyaknya data tersebut tidak diiringi dengan kesadaran terhadap seberapa penting kerahasiaan dan keamanannya. Ini menimbulkan potensi kejahatan yang biasa dikenal dengan cybercrime. Korban dari kejahatan siber dapat mengalami kerugian, mencakup rusaknya reputasi perusahaan atau organisasi hingga kerugian finansial. Untuk itu, penelitian ini bertujuan untuk mengidentifikasi kerentanan yang dimiliki oleh sebuah web application yang menjadi sistem pelacakan dan pemantauan aset. Penelitian ini dilakukan dengan pendekatan uji penetrasi menggunakan kerangka kerja dari OWASP (Open Worldwide Application Security Project). Framework ini berfokus pada keamanan dari web application sehingga sesuai dengan target pengujian dari penelitian ini. Penelitian ini mencakup information gathering dan 3 (tiga) metode pengujian mengacu pada OWASP WSTG, yaitu authentication testing, authorization testing, dan input validation testing dengan total 8 (delapan) metode pengujian yang dipilih. Dari hasil uji penetrasi yang dilakukan, ditemukan 4 kerentanan yang berhasil dieksploitasi. Keempat kerentanan tersebut kemudian dianalisis menggunakan OWASP Risk Rating Methodology dengan hasil akhir poin likelihood 6,5 (HIGH) dan impact 3,21 (MEDIUM). Hasil ini menunjukkan overall risk severity dari web application target yang diuji memiliki tingkat kerentanan tinggi.

---

The increasing use of the internet for a wide range of purposes, including business, has led to a significant growth in the amount of data stored and exposed online. However, this increase in data is not matched by an awareness of the importance of its confidentiality and security. This situation creates the potential for cybercrime, which can cause substantial harm, including damage to the reputation of a company or organization and financial losses. Therefore, this research aims to identify vulnerabilities in a web application used as an asset tracking and monitoring system. The study employs a penetration testing approach using the OWASP (Open Worldwide Application Security Project) framework. This framework focuses on web application security, making it suitable for the research's testing targets. The study involves information gathering and three testing methods from the OWASP WSTG: authentication testing, authorization testing, and input validation testing, using a total of eight selected testing methods. The penetration testing results revealed four exploitable vulnerabilities. These vulnerabilities were analyzed using the OWASP Risk Rating Methodology, resulting in a final likelihood score of 6.5 (HIGH) and an impact score of 3.21 (MEDIUM). These results indicate that the overall risk severity of the tested web application has a high level of vulnerability."

"The basics of web hacking introduces you to a tool-driven process to identify the most widespread vulnerabilities in Web applications. No prior experience is needed. Web apps are a "path of least resistance" that can be exploited to cause the most damage to a system, with the lowest hurdles to overcome. This is a perfect storm for beginning hackers. The process set forth in this book introduces not only the theory and practical information related to these vulnerabilities, but also the detailed configuration and usage of widely available tools necessary to exploit these vulnerabilities.The basics of web hacking provides a simple and clean explanation of how to utilize tools such as Burp Suite, sqlmap, and Zed Attack Proxy (ZAP), as well as basic network scanning tools such as nmap, Nikto, Nessus, Metasploit, John the Ripper, web shells, netcat, and more. Dr. Josh Pauli teaches software security at Dakota State University and has presented on this topic to the U.S. Department of Homeland Security, the NSA, BlackHat Briefings, and Defcon. He will lead you through a focused, three-part approach to Web security, including hacking the server, hacking the Web app, and hacking the Web user.With Dr. Pauli’s approach, you will fully understand the what/where/why/how of the most widespread Web vulnerabilities and how easily they can be exploited with the correct tools. You will learn how to set up a safe environment to conduct these attacks, including an attacker Virtual Machine (VM) with all necessary tools and several known-vulnerable Web application VMs that are widely available and maintained for this very purpose. "

"Keamanan website adalah komponen penting untuk melindungi dan mengamankan situs web dan server. Situs Web dipindai untuk mengetahui kerentanan dan malware melalui perangkat lunak keamanan situs website. Kerentanan dalam teknologi informasi (IT), adalah cacat dalam kode atau desain yang menciptakan titik kompromi keamanan potensial untuk titik akhir atau jaringan. Kerentanan menciptakan kemungkinan vektor serangan, dimana penyusup dapat menjalankan kode atau mengakses memori sistem target. Tools OWASP-ZAP adalah fitur untuk melakukan penetration testing pada sebuah website. SCELE adalah salah satu platform yang disediakan Universitas Indonesia untuk mengakses info akademis. Dengan tool OWASP-ZAP pendeteksian kerentanan pada website SCELE dapat dilakukan serta analisa dari hasil kerentanan tersebut juga dapat disimpulkan agar dapat menjadi acuan untuk memperbaiki sistem SCELE yang telah ada.

---

Website security is an important component to protect and secure websites and servers. The website is scanned to find out vulnerabilities and malware through website security software. Vulnerability in information technology (IT), is defect in code or design that creates a point of potential security compromise for endpoint or network. Vulnerability creates the possibility of an attack vector, where intruders can run code or access the target systems memory. The OWASP-ZAP tool is a feature for penetration testing of a website. Scele is one of the platform provided by University of Indonesia to access academic info. With OWASP-ZAP tool, vulnerability detection on the SCELE website can be done and and analysis of the result of these vulnerabilities can also be concluded to be reference to improve the existing SCELE system."

"Ancaman keamanan terhadap website biasa dihasilkan melalui celah yang memungkinkan pengguna lain melakukan tindak kejahatan. Untuk pemeliharaan keamanan website yang baik, deteksi kerentanan website dapat dilakukan dengan prosedur vulnerability identification dan penetration testing. Penetration Testing Execution Standard (PTES) digunakan pada penelitian ini sebagai kerangka kerja atau framework penetration testing dengan tujuan untuk mendapatkan hasil akhir berupa kerentanan yang dapat mengganggu keamanan website. Terdapat tujuh tahapan yang akan dilakukan pada framework PTES yaitu Pre-engagement Interactions, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post Exploitation, dan Reporting. Penetration testing ini juga menerapkan metode blackbox testing. Blackbox testing adalah metode pengujian yang dilakukan tanpa mengetahui informasi apa pun mengenai sistem website. Ditemukan tiga kerentanan dengan tingkat risiko tinggi pada website redstorm setelah melakukan penetration testing dengan framework PTES dan metode blackbox testing, yaitu PII Disclosure, SQL Injection, dan SQL Injection-SQLite. Hasil ini menekankan perlunya penguatan keamanan website dan penerapan langkah-langkah mitigasi yang sesuai untuk melindungi data sensitif dan melawan potensi serangan. Selain itu, penelitian ini menegaskan efektivitas dan relevansi kerangka kerja PTES dalam mengidentifikasi kerentanan keamanan sistem. Implikasi dari temuan ini memberikan kontribusi bagi pengembangan kebijakan keamanan informasi dan penelitian tentang keamanan siber yang lebih lanjut.

---

Security threats to common websites are generated by gaps that allow other users to commit criminal acts. For good website security maintenance, website vulnerability detection can be done with vulnerability identification and penetration testing procedures. The Penetration Testing Execution Standard (PTES) is used in this research as a framework for penetration testing with the aim of obtaining the final result of vulnerabilities that can interfere with the operation of the website. There are seven stages that will be performed on the PTES framework: Pre-engagement Interactions, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post-exploitation, and Reporting. The penetration test also uses the blackbox testing method. Blackbox testing is a test method that is performed without knowing any information about the website system. Three high-risk vulnerabilities were found on Redstorm websites after performing penetration testing with the PTES framework and blackbox testing methods, namely PII Disclosure, SQL Injection, and SQL injection-SQLite. The results emphasize the need to strengthen website security and implement appropriate mitigation measures to protect sensitive data and counter potential attacks. In addition, the study confirms the effectiveness and relevance of the PTES framework in identifying system security vulnerabilities. The implications of these findings contribute to the development of information security policies and further research on cybersecurity."

"Pengujian penetrasi merupakan suatu langkah penting yang diambil untuk meningkatkan keamanan sebuah website, terutama bagi suatu perusahaan. Terdapat beberapa kerangka kerja dan metodologi untuk uji penetrasi, salah satunya adalah Information Systems Security Assessment Framework (ISSAF). ISSAF merupakan sebuah kerangka kerja yang komprehensif dengan keunggulan pada domain coverage sehingga memungkinkan pengujian bukan hanya dari luar sistem, namun juga masuk ke dalam sistem. Penelitian ini menunjukan tahapan uji penetrasi menggunakan kerangka kerja ISSAF dan memanfaatkan beberapa tools yang umum digunakan untuk mengidentifikasi kerentanan website bagi perusahaan. Hasil dari penelitian ini ditemukan 7 kerentanan, diantaranya yaitu Clickjacking, Brute-force Attack pada Login Page, HSTS Missing From HTTP Server, Content Security Policy (CSP) Header Not Set , Cookie without SameSite Attribute, Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s),serta X-Content-Type-Options Header Missing. Dari hasil pengujian penetrasi ini dapat dijadikan rekomendasi untuk mengatasi kerentanan keamanan pada perusahaan-perusahaan di bidangnya.

---

Penetration testing is an important step taken to improve the security of a website, especially for a company. There are several frameworks and methodologies for penetration testing, one of which is the Information Systems Security Assessment Framework. (ISSAF). ISSAF is a comprehensive framework with advantages on domain coverage that allows testing not only from outside the system, but also into the system.  This research demonstrates the stage of penetration testing using the ISSAF framework and utilizes several commonly used tools to identify website vulnerabilities for companies. This study we found seven vulnerabilities in the target website, including Clickjacking, Brute-force Attack on Login Page, HSTS Missing from HTTP Server, Content Security Policy (CSP) Header Not Set, Cookie without SameSite Attribute, Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s), and X-Content-Type-Options Header Missing. From this penetration test results, a recommendation to address security vulnerabilities in companies can be conducted."

"Dengan adanya perkembangan teknologi saat ini, banyak pihak memberikan layanan yang dapat dimanfaatkan untuk dapat mempermudah semua kegiatan. Salah satu media yang digunakan untuk berbagai tujuan yaitu website. Salah satu jenis website yaitu website e-learning. Website e learning akan akan menyimpan informasi sensitif seperti data penggunanya untuk dapat memberikan hak akses fasilitas terhadap website tersebut. Informasi sensitif inilah yang perlu diperhatikan dalam pengembangan suatu website agar terhindar dari serangan cyber. Salah satu serangan yang sering terjadi pada website yaitu sql injection, dimana serangan ini terjadi dalam bentuk pencurian atau bahkan memodifikasi informasi pribadi oleh pihak yang tidak berhubungan. Untuk mencegah terjadi serangan pada website maka perlu dilakukannya penetration testing. Penetration testing bertujuan untuk mencari kerentanan yang ada pada website agar dapat segera ditangani sebelum dimanfaatkan oleh pihak yang tidak bertanggung jawab. Terdapat beberapa tahapan yang dilakukan untuk mengidentifikasi kerentanan website yaitu reconnaissance, scanning, exploitation dan report. Pengujian dilakukan dengan menganalisis hasil yang didapatkan dari setiap tahapan penetration testing sehingga dapat diketahui kerentanan yang ada pada website. Dari kerentanan yang terdetaksi maka akan diketahui beberapa rekomendasi solusi untuk mengatasinya. Setiap tahapan penetration testing akan menggunakan beberapa tools pendukung. Selain itu juga dilakukan pengujian keamanan website dengan melakukan serangan sql injection dan xss attack.

---

With the current technological developments, many parties provide services that can be used to facilitate all activities. One of the media used for various purposes is the website. One type of website is an e-learning website. An e-learning website will store sensitive information such as user data to be able to grant facility access rights to the website. This sensitive information needs to be considered in developing a website to avoid cyber attacks. One of the attacks that often occurs on websites is sql injection, where this attack occurs in the form of stealing or even modifying personal information by unrelated parties. To prevent attacks on the website, it is necessary to do penetration testing. Penetration testing aims to find vulnerabilities on the website so that they can be addressed immediately before being exploited by irresponsible parties. There are several steps taken to identify website vulnerabilities, namely reconnaissance, scanning, exploitation and reports. Testing is carried out by analyzing the results obtained from each stage of penetration testing so that the vulnerabilities that exist on the website can be identified. From the detected vulnerabilities, several recommendations for solutions to overcome them will be identified. Each stage of penetration testing will use several supporting tools. Besides that, website security testing is also carried out by carrying out sql injection attacks and xss attacks."

"Machine generated contents note: Chapter 0: Introduction Chapter 1: Introduction to Command Shell Scripting Chapter 2: Introduction to Python Chapter 3: Introduction to Perl Chapter 4: Introduction to Ruby Chapter 5: Introduction to Web Scripting with PHP Chapter 6: Manipulating Windows with PowerShell Chapter 7: Scanner Scripting Chapter 8: Information Gathering Chapter 9: Exploitation Scripting Chapter 10: Post-Exploitation Scripting Appendix: Subnetting and CIDR Addresses"

"Professional penetration testing walks you through the entire process of setting up and running a pen test lab. Penetration testing—the act of testing a computer network to find security vulnerabilities before they are maliciously exploited—is a crucial component of information security in any organization. With this book, you will find out how to turn hacking skills into a professional career. Chapters cover planning, metrics, and methodologies; the details of running a pen test, including identifying and verifying vulnerabilities; and archiving, reporting and management practices.Author Thomas Wilhelm has delivered penetration testing training to countless security professionals, and now through the pages of this book you can benefit from his years of experience as a professional penetration tester and educator. After reading this book, you will be able to create a personal penetration test lab that can deal with real-world vulnerability scenarios."