CFP last date
20 December 2024
Call for Paper
January Edition
IJCA solicits high quality original research papers for the upcoming January edition of the journal. The last date of research paper submission is 20 December 2024

Submit your paper
Know more
The week's pick
Responsive image
Improved Shuffled Frog Leaping Algorithm with Self-Adaptive Shuffling for Fuzzy Logic PD+G Controller Optimization in Robotic Manipulators

Duc Hoang Nguyen
Random Articles
Reseach Article

Web Server Security Analysis Against Cross Site Scripting (XSS) Attacks using Penetration Testing

by Rohmatul Mungfaridah, Imam Riadi
journal cover thumbnail

International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 184 - Number 30
Year of Publication: 2022
Authors: Rohmatul Mungfaridah, Imam Riadi
10.5120/ijca2022922370

Rohmatul Mungfaridah, Imam Riadi . Web Server Security Analysis Against Cross Site Scripting (XSS) Attacks using Penetration Testing. International Journal of Computer Applications. 184, 30 ( Oct 2022), 45-52. DOI=10.5120/ijca2022922370

@article{ 10.5120/ijca2022922370,
author = { Rohmatul Mungfaridah, Imam Riadi },
title = { Web Server Security Analysis Against Cross Site Scripting (XSS) Attacks using Penetration Testing },
journal = { International Journal of Computer Applications },
issue_date = { Oct 2022 },
volume = { 184 },
number = { 30 },
month = { Oct },
year = { 2022 },
issn = { 0975-8887 },
pages = { 45-52 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume184/number30/32508-2022922370/ },
doi = { 10.5120/ijca2022922370 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-07T01:22:50.561890+05:30
%A Rohmatul Mungfaridah
%A Imam Riadi
%T Web Server Security Analysis Against Cross Site Scripting (XSS) Attacks using Penetration Testing
%J International Journal of Computer Applications
%@ 0975-8887
%V 184
%N 30
%P 45-52
%D 2022
%I Foundation of Computer Science (FCS), NY, USA
Abstract

A web application is a program that can be accessed online via an intranet or the internet. This web app is a digital donation service available on mobile and on the website. Web apps that have not undergone security testing are vulnerable to hacker attacks. Web application performance will decrease due to vulnerabilities caused by hackers. The problem with implementing web apps security is that they have never tested the security of web apps, have not implemented a good standard of security analysis, especially in terms of dealing with Cross Site Scripting (XSS) attacks, and indeed needs to be tested because to avoid the risks that will occur. Penetration testing is carried out to secure web apps which are used as recommendations for follow-up repair solutions in securing web apps. Penetration testing is a popular technique, by actively evaluating defenses and web servers through the preparation and execution of all feasible attacks to find and exploit existing vulnerabilities. In this study, security testing was carried out using penetration testing with the zap and acunetix tools . This penetration testing consists of seven stages, namely: pre-engagement, information gathering, threat modeling, vulnerability analysis, exploitation, post exploitation, and reporting . The test results with Acunetix found a medium level Cross site Scripting (XSS) vulnerability, while the ZAP tool testing that has been carried out has identified 11 vulnerabilities, 2 medium level vulnerabilities, 7 low level vulnerabilities, and 2 informational vulnerabilities. The results of the recommendations are in accordance with the results of the analysis, so web apps need to use input validation for acceptable input that is truly in accordance with the specifications.

References
  1. S. Utoro, BA Nugroho, M. Meinawati, and SR Widianto, “Analysis of E-Learning Website Security at SMKN 1 Cibatu Using the Penetration Testing Execution Standard Method,” Multinetics , vol. 6, no. 2, pp. 169–178, 2020, doi:10.32722/multinetics.v6i2.3432.
  2. I. Riadi, A. Yudhana, and Y. W, “Security Analysis of Open Journal System Website Using Vulnerability Assessment Method,” J. Teknol. inf. and Computer Science. , vol. 7, no. 4, p. 853, 2020, doi:10.25126/jtiik.2020701928.
  3. F. Fachri, A. Fadlil, and I. Riadi, "Analysis of Webserver Security using Penetration Test," J. Inform. , vol. 8, no. 2, pp. 183–190, 2021, doi: 10.31294/ji.v8i2.10854.
  4. Y. W, I. Riadi, and A. Yudhana, "Analysis of Vulnerability Detection in Web Server Open Journal System Using OWASP Scanner," Journal of Information Technology Engineering (JURTI) , vol. 2, no. 1. p. 1, 2018, doi:10.30872/jurti.v2i1.1319.
  5. B. Darmajaya, “Method for Detection and Mitigation Cross Site Scripting Attack on Multi-Websites,” pp. 26–32, 2021, [Online]. Available: http://www.victim.site/search.php?keyword=.
  6. R. Umar, I. Riadi, and GM Zamroni, “Mobile forensic tools evaluation for digital crime investigation,” Int. J. Adv. science. eng. inf. Technol. , vol. 8, no. 3, pp. 949–955, 2018, doi:10.18517/ijaseit.8.3.3591.
  7. SRM Zeebaree, K. Jacksi, and RR Zebari, “Impact analysis of SYN flood DDoS attack on HAProxy and NLB cluster-based web servers,” Indonesia. J. Electr. eng. Comput. science. , vol. 19, no. 1, pp. 505–512, 2020, doi:10.11591/ijeecs.v19.i1.pp505-512.
  8. AR Kelrey and A. Muzaki, “The Effect of Ethical Hacking on Corporate Data Security,” Cyber Secur. and Digit Forensics. , vol. 2, no. 2, pp. 77–81, 2019, doi:10.14421/csecurity.2019.2.2.1625.
  9. RR Prayogo, "Security analysis using bwapp web application against XSS (Cross Site Scripting) and SQL Injection attacks," Dr. Diss. Univ. muhammdiyahjember,2016, doi: 10.20710/dojo.11.4_383.
  10. AP Dewanto, "Penetration Testing on the uii.ac.id Domain Using OWASP 10," Https://Dspace.Uii.Ac.Id/ , 2018, [Online]. Available: https://dspace.uii.ac.id/bitstream/handle/123456789/11281/13523025-Adetya Putra D-laporan thesis.pdf?sequence=1&isAllowed=y.
  11. I. Syarifudin, Pentesting and Analysis of Early Childhood Education Web Security . 2018.
  12. I. Riadi, R. Umar, and T. Lestari, "Cross Site Scripting (XSS) Attack Vulnerability Analysis on Smart Payment Applications Using the OWASP Framework," JISKA (Jurnal Inform. Sunan Kalijaga) , vol. 5, no. 3, pp. 146–152, 2020, doi:10.14421/jiska.2020.53-02.
  13. A. Zirwan, “Website Security Testing and Analysis Using Acunetix Vulnerability Scanner,” J. Inf. and Technol. , vol. 4, no. 1, pp. 70–75, 2022, doi:10.37034/jidt.v4i1.190.
  14. Sunardi, I. Riadi, and PA Raharja, “Vulnerability analysis of E-voting application using open web application security project (OWASP) framework,” Int. J. Adv. Comput. science. app. vol. 10, no. 11, pp. 135–143,2019, doi:10.14569/IJACSA.2019.0101118.
  15. B. Ghozali, K. Kusrini, and S. Sudarmawan, “Detecting Website Application Security Vulnerabilities Using Owasp (Open Web Application Security Project) Method for Risk Rating Assessment,” Creat. inf. Technol. J. , vol. 4, no. 4, p. 264, 2019, doi:10.24076/citec.2017v4i4.119.
  16. M. Yunus, “Web-Based Application Vulnerability Analysis Using a Combination of Security Tools Project Based on Owasp Framework Version 4,” J. Ilm. information. computer. , vol. 24, no. 1, pp. 37–48, 2019, doi:10.35760/ik.2019.v24i1.1988.
  17. NF Ningsih and I. Riadi, “Risk Assessment Analysis on Library Information System using OCTAVE Allegro Framework,” Int. J. Comput. app. , vol. 183, no. 28, pp. 6–13, 2021, doi:10.5120/ijca2021921620.
  18. E. Saad and R. Mitchell, “web security testing guide version 4.2,” vol. 4.2, 2020, pp. 1–465.
  19. HRS Nadenggan and I. Riadi, “Analysis of Local Area Network Performance using Quality of Service,” Int. J. Comput. app. , vol. 183, no. 46, pp. 43–51, 2022, doi:10.5120/ijca2022921866.
  20. DA Mu'minin and I. Riadi, “Cybercrime Data Search Fraud Case on Mobile based MiChat Service,” Int. J. Comput. app. , vol. 183, no. 47, pp. 43–49, 2022, doi:10.5120/ijca2022921880.
  21. E. Council, Computer Forensics: Investigating Network Intrusions and Cyber Crime . 2009.
  22. BB Gupta and P. Chaudhary, Cross-Site Scripting Attacks: Classification, Attack, and Countermeasures (Security, Privacy, and Trust in Mobile Communications) . 2020.
  23. MC Ghanem and TM Chen, “Reinforcement learning for efficient network penetration testing,” Inf. , vol. 11, no. 1, pp. 1–23, 2020, doi:10.3390/info11010006.
  24. D. Kennedy, “The Basics of Hacking and Penetration Testing,” Netw. Secur. , vol. 2011, no. 12, p. 4, 2011, doi:10.1016/s1353-4858(11)70127-1.
  25. A. Hoffman, Web Application Security Exploitation and Cointerm Measures for Modern Web Application . 2020.
  26. A. Aliefyan, “Penetration Testing To Find Out Web Application Security Vulnerabilities Using OWASP 10 Standard on Enterprise Web Domains” ResearchGate , no. July, 2020.
  27. G. Nájera-Gutiérrez, Kali Linux Web Penetratino Testing Cookbook . 2016.
  28. J. Curiel, “Creating OWASP ZAP Extensions and Add-ons,” 2013.
  29. Acunetix, “v12 Product Manual,” 2017, [Online]. Available: https://www.acunetix.com/resources/wvsmanual.pdf.
Index Terms

Computer Science
Information Sciences

Keywords

Web Apps Security OWASP-ZAP Acunetix Penetration Testing Cross-Site Scripting (XSS)

Powered by PhDFocusTM