Pengujian dan Mitigasi Kerentanan Website Sistem Informasi Akademik Universitas Ma'arif Nahdlatul Ulama Kebumen dengan OWASP ZAP
Testing and Mitigation of Website Vulnerabilities in the Academic Information System of Universitas Ma'arif Nahdlatul Ulama Kebumen using OWASP ZAP
DOI:
https://doi.org/10.14421/csecurity.2025.8.1.5190Abstract
Penggunaan sistem informasi akademik berbasis web di lingkungan pendidikan tinggi semakin krusial untuk mendukung proses manajemen data akademik. Namun, tingginya ketergantungan pada aplikasi web juga meningkatkan risiko terhadap serangan siber. Website Sistem Informasi Akademik Universitas Ma’arif Nahdlatul Ulama Kebumen sempat mengalami insiden peretasan yang menyebabkan tampilan berubah menjadi iklan judi online, meskipun saat ini telah dipulihkan. Berdasarkan insiden tersebut, tujuan penelitian ini dilakukan untuk mengidentifikasi potensi kerentanan lainnya dan memberikan rekomendasi mitigasi. Penelitian menggunakan metode pengujian keamanan berbasis OWASP Web Security Testing Guide (WSTG) dan alat bantu OWASP Zed Attack Proxy (ZAP). Hasil pengujian menunjukkan adanya tiga kerentanan utama, yaitu Content Security Policy (CSP) Header Not Set, HTTP to HTTPS Insecure Transition in Form Post, dan Missing Anti-clickjacking Header. Kendati tidak ditemukan celah XSS aktif dan semua transmisi data telah dienkripsi melalui HTTPS, sistem tetap belum memiliki perlindungan terhadap Clickjacking. Mitigasi yang direkomendasikan mencakup penerapan header CSP, konfigurasi HSTS, serta penambahan X-Frame-Options atau frame-ancestors. Implementasi mitigasi ini diharapkan dapat meningkatkan keamanan sistem informasi akademik dari potensi serangan siber di masa mendatang.
Kata kunci: Keamanan Website, OWASP ZAP, Wireshark, XSS, Clickjacking, OWASP Top 10
------------------------
The use of web-based academic information systems in higher education has become increasingly vital for managing academic data. However, this reliance on web applications also increases the risk of cyberattacks. The Academic Information System website of Universitas Ma’arif Nahdlatul Ulama Kebumen previously experienced a hacking incident in which the display was altered to show online gambling advertisements, although it has since been restored. This research aims to identify other potential vulnerabilities and provide mitigation recommendations. The study employs security testing based on the OWASP Web Security Testing Guide (WSTG) and utilizes the OWASP Zed Attack Proxy (ZAP) tool. The results reveal three main vulnerabilities: Content Security Policy (CSP) Header Not Set, HTTP to HTTPS Insecure Transition in Form Post, and Missing Anti-clickjacking Header. Although no active XSS exploit was found and all data transmissions were encrypted via HTTPS, the system lacks protection against clickjacking attacks. Recommended mitigation includes implementing CSP headers, enabling HTTP Strict Transport Security (HSTS), and adding X-Frame-Options or frame-ancestors directives. These measures are expected to enhance the security of the academic information system and protect user data from future cyber threats.
Keywords: Website Security, OWASP ZAP, Wireshark, XSS, Clickjacking, OWASP Top 10
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Eko setiawan, fahmi fachri
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
You are free to:
- Share — copy and redistribute the material in any medium or format
- Adapt — remix, transform, and build upon the material for any purpose, even commercially.
Under the following terms:
- Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
- ShareAlike — If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
- No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.
