Abstract

Information security is a crucial aspect for any organization or company, whether private or governmental, as exemplified by the website lekamandiri.web.id. As part of a private company entity, PT Leka Mandiri utilizes a website application to manage financial data. This website handles sensitive client information. This research was conducted to identify and address security vulnerabilities on the lekamandiri.web.id website against CSRF attacks, Clickjacking, and Content Security Policy (CSP) violations. In light of these vulnerabilities, a security evaluation is required to provide proper mitigation and improvements for the lekamandiri.web.id website. This study employed the Penetration Testing method to identify and exploit existing security gaps on the PT Leka Mandiri Cikarang website. The testing phases included Information Gathering, Planning Analysis, Vulnerability Detection, Penetration Testing, Maintenance (Patching), and Reporting. Several tools were used during the testing process, such as OWASP ZAP for vulnerability scanning, Nmap and Whois for information gathering, Burp Suite for exploitation testing, and Visual Studio Code for maintenance (patching). The results of the study showed that the website had several vulnerabilities with varying risk levels. The initial testing indicated potential vulnerabilities to CSRF attacks, Clickjacking, and CSP violations. After remediation efforts, these three vulnerabilities were successfully mitigated through the implementation of Anti-CSRF tokens, the configuration of CSP headers, and the addition of Anti-Clickjacking headers. Overall, the implemented security measures proved to be effective in enhancing the website’s security level, as evidenced by the improved security score from the retesting process.

References

• B H. Gunawan, “Pengukuran Kesadaran Keamanan Informasi Dan Privasi Dalam Sosial Media,” J. Muara Sains, Teknol. Kedokt. dan Ilmu Kesehat., vol. 5, no. 1, p. 1, 2021, doi:10.24912/jmstkik.v5i1.3456.
• D Fauzan, F. Y., & Syukhri, S. (2021). Analisis Metode Web Security PTES (Penetration Testing Execution And Standart) Pada Aplikasi E-Learning Universitas Negeri Padang. Voteteknika (Vocational Teknik Elektronika dan Informatika), 9(2), 105–111. https://doi.org/10.24036/voteteknika.v9i2.111778.
• Hidayatulloh, S., & Saptadiaji, D. (2021). Penetration Testing pada Website Universitas ARS Menggunakan Open Web Application Security Project (OWASP). Jurnal Algoritma, 18(1), 77–86. https://doi.org/10.33364/algoritma/v.18-1.827
• Dewi, B. T. K. & Setiawan, M. A. (2022). Kajian Literatur: Metode dan Tools Pengujian Celah Keamanan Aplikasi Berbasis Web. Automata, 3(1), 1–8. https://journal.uii.ac.id/Automata/article/view/21883/12030.
• R. Hafsari, R. Rahmadani Saputra, and M. Afin Wirdyansah, “Perancangan Absensi Berbasis Web Dengan Metode Waterfall (Studi Kasus: PT. GlobalRiau Data Solusi),” vol. 4, no. 1, pp. 306–312, 2023, doi: 10.37859/coscitech.v4i1.5400.
• A. Rochman, R. Rohian Salam, dan Sandi Agus Maulana Sekolah Tinggi Manajemen Ilmu Komputer, and S. Likmi, “DI RUMAH SAKIT XYZ,” ANALISIS KEAMANAN WEBSITE DENGAN INFORMATION SYSTEM SECURITY ASSESSMENT FRAMEWORK (ISSAF) DAN OPEN WEB APPLICATION SECURITY PROJECT, vol. 2, no. 4, 2021.
• A. Zirwan, “Pengujian dan Analisis Kemanan Website Menggunakan Acunetix Vulnerability Scanner,” Jurnal Informasi dan Teknologi, pp. 70–75, Mar. 2022, doi: 10.37034/jidt.v4i1.190.
• Elinda Revita, Intan Puspita, & Raimon Efendi. (2023). Sistem Informasi Pembayaran SPP Berbasis Web Pada MTS Al-Ihsan Tugu Rejo. INNOVATIVE: Journal Of Social Science Research, 3, 5053–5063.
• Widiawaty, V., & Irmanda, H. N. (2021). Website-Based Tuition Payment Information System at SMP Strada St. Fransiskus Xaverius II. In National Seminar of Computer Science Students and Its Applications (SENAMIKA) Jakarta-Indonesia
• Ayu Sahdilla. (2021). Design of a Web-Based Drug Sales Information System at Dian Pharmacy. 9(2).
• Oktaviyana, A., Mercedes Br Aritonang, M., & Saputri br Sembiring, E. (2023). Analysis and Development of Management Information Systems.
• Ningsih, N. F., & Riadi, I. (2021). Risk Assessment Analysis on Library Information System using OCTAVE Allegro Framework. Internasional Journal of Computer Applications, 183(28), 6–13. https://doi.org/10.5120/ijca2021921620
• Ikhsan, N., & Ramadhani, S. (2020). Correspondence Administration Information System of the Regional Office of the Ministry of Religion of Riau Province. Journal of Technology and Business Information Systems, 2(2), 141–151. https://doi.org/10.47233/jteksis.v2i2.126
• C. Juandy, “Penilaian Risiko pada Layanan Sistem Informasi Desa Berdaya Menggunakan OCTAVE Allegro,” 2024.
• Rosita R, “Penilaian Keamanan Informasi Pada Layanan Surat Menggunakan Indeks KAMI 4.2,” 2022.
• C. A. Prawastiyo and I. Hermawan, “Pengembangan Front-End Website Perpustakaan Politeknik Negeri Jakarta Dengan Menggunakan Metode User Centered Design,” Inf. Sci. Libr., vol. 1, no. 2, pp. 50–60, 2022
• I. G. Arya Kukuh Y, Geraldo Alfarenb, “Analisis Serangan Sistematik Penetration Testing : Sebuah Review,” J. Ilm. Inform. Komput., vol. 1 no. 2, pp. 21–26, 2022.
• M. A. Suharto and M. N. Apriyani, “Konsep Cyber Attack , Cyber Crime , Dan Cyber Warfare Dalam Aspek Hukum Internasional,” vol. 17, pp. 98–107, 2021.
• Al Fajar, F. (2020). Analisis Keamanan Aplikasi Web Prodi Teknik Informatika Uika Menggunakan Acunetix Web Vulnerability. Inova-tif, 3(2). https://doi.org/10.32832/inovatif.v3i2.4127
• M. A. Adiguna and B. W. Widagdo, “Analisis Keamanan Jaringan WPA2-PSK Menggunakan Metode Penetration Testing (Studi Kasus : Router Tp-Link Mercusys Mw302r),” J. SISKOM-KB (Sistem Komput. dan Kecerdasan Buatan), vol. 5, no. 2, pp. 1–8, 2022, doi: 10.47970/siskom-kb.v5i2.268.
• A. Aliefyan, “Penetration Testing Untuk Mengetahui Kerentanan Keamanan Aplikasi Web Menggunakan Standar OWASP 10 pada domain Web Perusahaan Penetration Testing Untuk Mengetahui Kerentanan Keamanan Aplikasi Web,” ResearchGate, no. July, 2020.
• Yudiana, Y., Elanda, A., & Buana, R. L. 2021. Analisis Kualitas Keamanan Sistem Informasi E-Office Berbasis Website Pada STMIK Rosma Dengan Menggunakan OWASP Top 10. CESS (Journal of Computer Engineering, System and Science), 6(2), 185
• Riadi, I., Umar, R., Lestari, T., Informasi, S., Dahlan, U. A., Informatika, T., & Ahmad, U. (2020). Analisis Kerentanan Serangan Cross Site Scripting ( XSS ) pada Aplikasi Smart Payment Menggunakan Framework OWASP. 5(3), 146– 152.
• Darojat, E. Z., Sediyono, E., & Sembiring, I. (2022). Vulnerability Assessment Website E-Government dengan NIST SP 800-115 dan OWASP Menggunakan Web Vulnerability Scanner. Jurnal Sistem Informasi Bisnis, 12(1), 36–44. https://doi.org/10.21456/vol12iss1pp36-44
• H. Sofyan, M. Sugiarto, and B. M. Akbar, “Implementation of Penetration testing on Websites to Improve Security of Information Assets UPN ‘Veteran’ Yogyakarta,” Jurnal Informatika dan Teknologi Informasi, vol. 20, no. 2, pp. 1–10, 2023, doi: 10.31515/telema tika .v20i2.7757 FIRST. (2023). Common Vulnerability Scoring System v3.1: Specification Document. Retrieved from https://www.first.org/cvss/v3.1/specification-document.