Vulnerability Testing and Analysis Using OWASP Top 10 on Academic Information System at University XYZ

Vulnerability Testing and Analysis Using OWASP Top 10 on Academic Information System at University XYZ

연구 분야: Analysis

학회: 2024 International Conference of Adisutjipto on Aerospace Electrical Engineering and Informatics (ICAAEEI)

In the evolving landscape of digital education, Academic Information Systems (AIS) have become essential for managing educational processes and facilitating dynamic learning environments. However, the integration of these systems introduces significant cybersecurity risks that threaten the integrity, availability, and confidentiality of sensitive educational data. This paper presents a vulnerability assessment of the AIS website at University XYZ, conducted using the Open Web Application Security Project (OWASP) guidelines. The methodology includes automated and manual testing with OWASP Zed Attack Proxy (ZAP) to uncover security weaknesses. The penetration testing revealed several vulnerabilities, categorized as medium and low alerts. Medium alerts included the absence of Content Security Policy (CSP) headers, cross-domain misconfigurations, hidden files, missing anti-clickjacking headers, and vulnerable JavaScript libraries. Low alerts included application error disclosures, cookies without secure flags or Same Site attributes, debug error messages, missing Strict-Transport-Security (HSTS) headers, and X-Content-Type-Options headers. Based on these findings, practical recommendations such as implementing CSP headers, enabling secure cookie flags and Same Site attributes, configuring HSTS, and adding anti-clickjacking headers were proposed to address these vulnerabilities. By adopting these measures, University XYZ can enhance the security of its AIS, protect sensitive educational data, and maintain the trust of its users.