Web Application Penetration Testing on Udayana University's OASE E-learning Platform Using Information System Security Assessment Framework (ISSAF) and Open Source Security Testing Methodology Manual (OSSTMM)

I. Gusti, Agung Surya, Pramana Wijaya, Gusti Made, Arya Sasmita, Putu Agus, Eka Pratama
{"title":"Web Application Penetration Testing on Udayana University's OASE E-learning Platform Using Information System Security Assessment Framework (ISSAF) and Open Source Security Testing Methodology Manual (OSSTMM)","authors":"I. Gusti, Agung Surya, Pramana Wijaya, Gusti Made, Arya Sasmita, Putu Agus, Eka Pratama","doi":"10.5815/ijitcs.2024.02.04","DOIUrl":null,"url":null,"abstract":"Education is a field that utilizes information technology to support academic and operational activities. One of the technologies widely used in the education sector is web-based applications. Web-based technologies are vulnerable to exploitation by attackers, which highlights the importance of ensuring strong security measures in web-based systems. As an educational organization, Udayana University utilizes a web-based application called OASE. OASE, being a web-based system, requires thorough security verification. Penetration testing is conducted to assess the security of OASE. This testing can be performed using the ISSAF and OSSTMM frameworks. The penetration testing based on the ISSAF framework consists of 9 steps, while the OSSTMM framework consists of 7 steps for assessment. The results of the OASE penetration testing revealed several system vulnerabilities. Throughout the ISSAF phases, only 4 vulnerabilities and 3 information-level vulnerabilities were identified in the final testing results of OASE. Recommendations for addressing these vulnerabilities are provided as follows. Implement a Web Application Firewall (WAF) to reduce the risk of common web attacks in the OASE web application. input and output validation to prevent the injection of malicious scripts addressing the stored XSS vulnerability. Update the server software regularly and directory permission checks to eliminate unnecessary information files and prevent unauthorized access. Configure a content security policy on the web server to ensure mitigation and prevent potential exploitation by attackers.","PeriodicalId":130361,"journal":{"name":"International Journal of Information Technology and Computer Science","volume":"86 6","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Technology and Computer Science","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.5815/ijitcs.2024.02.04","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

Education is a field that utilizes information technology to support academic and operational activities. One of the technologies widely used in the education sector is web-based applications. Web-based technologies are vulnerable to exploitation by attackers, which highlights the importance of ensuring strong security measures in web-based systems. As an educational organization, Udayana University utilizes a web-based application called OASE. OASE, being a web-based system, requires thorough security verification. Penetration testing is conducted to assess the security of OASE. This testing can be performed using the ISSAF and OSSTMM frameworks. The penetration testing based on the ISSAF framework consists of 9 steps, while the OSSTMM framework consists of 7 steps for assessment. The results of the OASE penetration testing revealed several system vulnerabilities. Throughout the ISSAF phases, only 4 vulnerabilities and 3 information-level vulnerabilities were identified in the final testing results of OASE. Recommendations for addressing these vulnerabilities are provided as follows. Implement a Web Application Firewall (WAF) to reduce the risk of common web attacks in the OASE web application. input and output validation to prevent the injection of malicious scripts addressing the stored XSS vulnerability. Update the server software regularly and directory permission checks to eliminate unnecessary information files and prevent unauthorized access. Configure a content security policy on the web server to ensure mitigation and prevent potential exploitation by attackers.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
使用信息系统安全评估框架(ISSAF)和开源安全测试方法手册(OSSTMM)对 Udayana 大学的 OASE 电子学习平台进行网络应用程序渗透测试
教育是一个利用信息技术支持学术和业务活动的领域。教育领域广泛使用的技术之一是网络应用程序。基于网络的技术很容易被攻击者利用,这就凸显了确保基于网络系统的强大安全措施的重要性。作为一个教育机构,乌达亚纳大学使用了一个名为 OASE 的网络应用程序。OASE 作为一个基于网络的系统,需要彻底的安全验证。进行渗透测试是为了评估 OASE 的安全性。该测试可使用 ISSAF 和 OSSTMM 框架进行。基于 ISSAF 框架的渗透测试包括 9 个步骤,而 OSSTMM 框架包括 7 个评估步骤。OASE 渗透测试的结果显示了几个系统漏洞。在整个 ISSAF 阶段,OASE 的最终测试结果只发现了 4 个漏洞和 3 个信息级漏洞。解决这些漏洞的建议如下。实施网络应用程序防火墙(WAF),以降低 OASE 网络应用程序中常见网络攻击的风险。定期更新服务器软件和目录权限检查,消除不必要的信息文件,防止未经授权的访问。在网络服务器上配置内容安全策略,以确保缓解和防止攻击者的潜在利用。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Enhancing Healthcare Provision in Conflict Zones: Queuing System Models for Mobile and Flexible Medical Care Units with a Limited Number of Treatment Stations A Machine Learning Based Intelligent Diabetic and Hypertensive Patient Prediction Scheme and A Mobile Application for Patients Assistance Mimicking Nature: Analysis of Dragonfly Pursuit Strategies Using LSTM and Kalman Filter Securing the Internet of Things: Evaluating Machine Learning Algorithms for Detecting IoT Cyberattacks Using CIC-IoT2023 Dataset Analyzing Test Performance of BSIT Students and Question Quality: A Study on Item Difficulty Index and Item Discrimination Index for Test Question Improvement
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1