PENGUJIAN KEAMANAN WEBSITE ERP DENGAN TEKNIK PENETRATION TESTING MENGGUNAKAN METODE PTES BERDASARKAN OWASP TOP 10 (STUDI KASUS: PT. XYZ)

Firnanda, Mochammad Yoga (2025) PENGUJIAN KEAMANAN WEBSITE ERP DENGAN TEKNIK PENETRATION TESTING MENGGUNAKAN METODE PTES BERDASARKAN OWASP TOP 10 (STUDI KASUS: PT. XYZ). Undergraduate thesis, UPN Veteran Jawa Timur.

[img] Text (Cover)
21081010152-cover.pdf
Download (1MB)
[img] Text (Bab 1)
21081010152-bab1.pdf
Download (143kB)
[img] Text (Bab 2)
21081010152-bab2.pdf
Restricted to Repository staff only until 16 June 2027.
Download (811kB)
[img] Text (Bab 3)
21081010152-bab3.pdf
Restricted to Repository staff only until 16 June 2027.
Download (581kB)
[img] Text (Bab 4)
21081010152-bab4.pdf
Restricted to Repository staff only until 16 June 2027.
Download (3MB)
[img] Text (Bab 5)
21081010152-bab5.pdf
Download (120kB)
[img] Text (Daftar Pustaka)
21081010152-daftarpustaka.pdf
Download (141kB)
[img] Text (Lampiran)
21081010152-lampiran.pdf
Restricted to Repository staff only
Download (2MB)

Abstract

Rapid technological advancements have brought numerous benefits to the industrial sector, leading many companies to rely on technology to support their operations. However, this dependency also opens opportunities for hackers to exploit system vulnerabilities and steal sensitive information. This research aims to identify, evaluate, and exploit vulnerabilities on the ERP website of PT. XYZ, particularly on pages accessible by users with the SPV Marketing role, using penetration testing techniques with the PTES method referring to the 2021 OWASP Top 10. The PTES method used includes seven stages: pre-engagement interaction, intelligence gathering, threat modeling, vulnerability analysis using ZAP, exploitation, post-exploitation, and reporting. Based on the ZAP scan, 23 security vulnerabilities were found, 18 of which are included in the OWASP Top 10 categories, such as Broken Access Control, Injection, Insecure Design, and Security Misconfiguration, Vulnerable and Outdated Components, and Software and Data Integrity Failures. Successful attack simulations include Cross-Site Scripting (XSS), Session Hijacking, and Cross-Site Request Forgery (CSRF). The testing focused on high-risk vulnerabilities, such as Cloud Metadata Potentially Exposed and Vulnerable JS Library, as well as medium-risk vulnerabilities such as Absence of Anti-CSRF Tokens, Application Error Disclosure, CSP Header Not Set, and Missing Anti-clickjacking Header. Additionally, low-risk vulnerabilities were also found, such as Big Redirect Detected, Cookie No HttpOnly Flag, Cookie Without Secure Flag, Cookie without SameSite Attribute, Cross-Domain Javascript Source File Inclusion, Server Leaks Version Information via 'Server' HTTP Response, Strict-Transport-Security Header Not Set, Timestamp Disclosure - Unix, and X-Content-Type-Options Header Missing. The improvement recommendations are tailored to ERP technology to facilitate the understanding of the development team and enhance system security in accordance with the security guidelines set forth in the OWASP Top 10.

Item Type: Thesis (Undergraduate)
Contributors:
ContributionContributorsNIDN/NIDKEmail
Thesis advisorWahanani, Henni EndahNIDN0022097811henniendah@upnjatim.ac.id
Thesis advisorJunaidi, AchmadNIDN0710117803achmadjunaidi.if@upnjatim.ac.id
Subjects: T Technology > T Technology (General)
Divisions: Faculty of Computer Science > Departemen of Informatics
Depositing User: Mochammad Yoga Firnanda
Date Deposited: 17 Jun 2025 04:29
Last Modified: 17 Jun 2025 04:29
URI: https://repository.upnjatim.ac.id/id/eprint/37912

Actions (login required)

View Item View Item