Security Analysis of University Websites in West Nusa Tenggara against SQL Injection, Cross Site Scripting and Insecure Direct Object Reference Attacks through Penetration Testing
DOI:
https://doi.org/10.30812/bite.v7i1.5032Keywords:
Cyber Security, Penetration Testing, SQL Injection, Web SecurityAbstract
Background: In the digital era, cybersecurity is important for universities in protecting academic information and user data. The focus of this research is to identify and analyze the security vulnerabilities of higher education websites in West Nusa Tenggara against three types of attacks, namely SQL Injection, Cross Site Scripting (XSS), and Insecure Direct Object Reference (IDOR), which can compromise the integrity of higher education data and information systems.
Objective: This research aims to evaluate the level of vulnerability and severity of the risk of the three types of attacks on the websites of higher education institutions.
Methods: This research uses penetration testing methods, and assesses the severity of vulnerabilities based on the Common Vulnerability Scoring System (CVSS) version 3.1.
Result: This research results show that 50% of the ten college websites tested are vulnerable to XSS attacks, 30% to SQL Injection, and 20% to IDOR. The highest severity was found in the SQL Injection vulnerability with a CVSS score of 9.0 critical category.
Conclusion: The implications of the results of this study indicate that higher education institutions need to immediately strengthen system security with strict input validation, WAF implementation, and adequate authorization mechanisms to prevent future exploitation of similar vulnerabilities.
Downloads
References
[1] H. Himawan, D. Kusuma Wardani, and R. R. Kartika Kusuma Winahyu, “Pemanfaatan Perpustakaan Digital (E-Library) Sebagai Salah Satu Strategi Peningkatan Kualitas Pendidikan dan Penelitian di Perguruan Tinggi,” Fakt. Exacta, vol. 17, no. 3, p. 212, Sep. 2024, doi: 10.30998/faktorexacta.v17i3.23824.
[2] Amarizky Yoga Pratama and Jeffri Alfa Razaq, “Integrasi Sistem Informasi Akademik Dan Elearning Moodle Dengan Rest Api,” J. Manaj. Inform. dan Sist. Inf., vol. 6, no. 1, pp. 26–38, Jan. 2023, doi: 10.36595/misi.v6i1.696.
[3] Tenri, “NEWS : Situs Web Perguruan Tinggi Terbanyak Alami Serangan Web Defacement,” Cyberthreath. Accessed: Jan. 02, 2025. [Online]. Available: http://cyberthreat.id/read/10636/Situs-Web-Perguruan-Tinggi-Terbanyak-Alami-Serangan-Web-Defacement
[4] O. P. Sandy, “Serangan SQL Injection Jadi Aduan Siber Tertinggi Selama 2021,” CyberThreat.Id. Accessed: Jan. 02, 2025. [Online]. Available: https://cyberthreat.id/read/13925/Serangan-SQL-Injection-Jadi-Aduan-Siber-Tertinggi-Selama-2021
[5] Marselinus Gual, “Lembaga Riset Siber Ungkap 26 Website Kampus Diretas Situs Judi Online,” alinea.id. Accessed: Jan. 02, 2025. [Online]. Available: https://www.alinea.id/media/lembaga-riset-siber-ungkap-26-website-kampus-diretas-situs-judi-online-b2fv09Jg5
[6] Dery, “Situs Unram Diretas, Muncul Jokowi2Periode,” Radar Lombok. Accessed: Jan. 03, 2025. [Online]. Available: https://radarlombok.co.id/situs-unram-diretas-muncul-jokowi2periode.html
[7] A. Alanda, D. Satria, M. I. Ardhana, A. A. Dahlan, and H. A. Mooduto, “Web application penetration testing using sql injection attack,” Int. J. Informatics Vis., vol. 5, no. 3, pp. 320–326, Feb. 2021, doi: 10.30630/joiv.5.3.470.
[8] N. A. Prasetiyo, R. B. Huwae, and A. H. Jatmika, “Audit Dan Analisis Website Pemerintah Menggunakan Pengujian Penetrasi Sql Injection Dan Cross Site Scripting (XSS) (Audit and Analysis of Government Websites Using SQL Injection and Cross-Site Scripting (XSS) Penetration Testing),” Mataram, Dec. 2024. doi: https://doi.org/10.29303/jtika.v6i2.425.
[9] S. Nagpure and S. Kurkure, “Vulnerability Assessment and Penetration Testing of Web Application,” in 2017 International Conference on Computing, Communication, Control and Automation, ICCUBEA 2017, India: IEEE, 2017. doi: 10.1109/ICCUBEA.2017.8463920.
[10] R. N. Dasmen, R. Rasmila, T. L. Widodo, K. Kundari, and M. T. Farizky, “Pengujian Penetrasi Pada Website Elearning2.Binadarma.Ac.Id Dengan Metode Ptes (Penetration Testing Execution Standard),” J. Komput. dan Inform., vol. 11, no. 1, pp. 91–95, Mar. 2023, doi: 10.35508/jicon.v11i1.9809.
[11] M. A. Madani, “Penetration Testing untuk Menguji Sistem Keamanan pada Website,” Jeitech (Journal Electr. …, vol. 2, no. 1, pp. 33–45, 2024, [Online]. Available: https://journal.unram.ac.id/index.php/jeitech/article/view/3961%0Ahttps://journal.unram.ac.id/index.php/jeitech/article/download/3961/2069
[12] B. I. Mukhtar and M. A. Azer, “Evaluating the Modsecurity Web Application Firewall against SQL Injection Attacks,” in Proceedings of ICCES 2020 - 2020 15th International Conference on Computer Engineering and Systems, Institute of Electrical and Electronics Engineers Inc., Dec. 2020. doi: 10.1109/ICCES51560.2020.9334626.
[13] L. Lei, M. Chen, C. He, and D. Li, “XSS Detection Technology Based on LSTM Attention,” in 2020 5th International Conference on Control, Robotics and Cybernetics, CRC 2020, Institute of Electrical and Electronics Engineers Inc., Oct. 2020, pp. 175–180. doi: 10.1109/CRC51253.2020.9253484.
[14] A. R. Septa Firdaus and A. Voutama, “Memanfaatkan Kerentanan Broken Access Control pada Website Orami untuk Membatalkan Pesanan dan Meniru Identitas Pengguna,” TeIKa, vol. 13, no. 02, pp. 113–120, 2023, doi: 10.36342/teika.v13i02.3113.
[15] D. Waltermire, S. Quinn, H. Booth, K. Scarfone, and D. Prisaca, “NIST Special Publication 800-126 Revision 3 - The technical specification for the security content automation protocol (SCAP) version 1.3,” Gaithersburg, MD, Feb. 2020. doi: 10.6028/NIST.SP.800-126r3.
Downloads
Published
Issue
Section
License
Copyright (c) 2025 Dhira Wahyu Febrian, Raphael Bianco Huwae, Ahmad Zafrullah Mardiansyah
This work is licensed under a Creative Commons Attribution 4.0 International License.
