Evaluasi keamanan sistem e-journal berbasis web menggunakan framework NIST SP 800-115 dan analisis berdasarkan OWASP top 10

Ibnu Ajis; Tri Rochmadi; Yanuar Wicaksono; Dadang Heksaputra

doi:10.35760/tr.2026.v31i1.158

Authors

Ibnu Ajis Universitas Alma Ata Author
Tri Rochmadi Universitas Alma Ata Author
Yanuar Wicaksono Universitas Alma Ata Author
Dadang Heksaputra Universitas Alma Ata Author

DOI:

https://doi.org/10.35760/tr.2026.v31i1.158

Keywords:

Cybersecurity, NIST SP 800-115, OWASP TOP 10, Penetration Testing, Proceeding

Abstract

The use of web-based information systems in higher education institutions, particularly e-journal platforms, continues to rise. However, this is often not accompanied by adequate security measures, thereby threatening Confidentiality, Integrity, and Availability (CIA). This study aims to evaluate the security of a proceedings system based on Open Journal Systems (OJS) at the Adisutjipto Institute of Aeronautical Technology (ITDA) in Yogyakarta. The method used was penetration testing based on the NIST SP 800-115 standard via a black-box approach, which included the planning, discovery, attack, and reporting phases. Initial identification using the OWASP ZAP automated scanner identified 11 vulnerability indicators with estimated severity levels ranging from low to medium. However, after conducting the exploitation validation (proof-of-concept) phase and assessment using the OWASP Risk Rating method, it was found that some vulnerabilities posed a higher risk impact than the initial scan results indicated. The final research results confirmed the presence of 3 high-risk findings and 1 medium-risk finding. These high-risk vulnerabilities include Host Header Injection, which enables Reflected XSS attacks; a Security Misconfiguration on the /server-status endpoint; and the absence of a rate-limiting mechanism in the authentication feature. This study concludes that the system has significant security vulnerabilities that require immediate mitigation. Key recommendations include updating the OJS platform version, implementing server configuration hardening, and enhancing login security mechanisms to continuously protect the Integrity and Confidentiality of the institution’s academic data.

Downloads

Download data is not yet available.

References

[1] International Telecommunication Union (ITU), “Internet use continues to grow, but universality remains elusive, especially in low-income regions,” International Telecommunication Union (ITU), 2024. [Online]. Available: https://www.itu.int/itu-d/reports/statistics/2024/11/10/ff24-internet-use/ (accessed Sep. 6, 2025).

[2] E. Wahyudi, “Implementasi e-journal berbasis Open Journal System (OJS) untuk meningkatkan jumlah publikasi penelitian dosen IPDN Kampus NTB,” Jurnal Informatika & Komputer (EXPLORE), vol. 14, no. 1, pp. 35–41, Jan. 2024, doi: 10.35200/ex.v14i1.110.

[3] S. Khanna, “OJS Growth Statistics,” RPubs, 2024. [Online]. Available: https://rpubs.com/saurabh90/ojs-stats-2024 (accessed Oct. 7, 2025).

[4] T. Rochmadi and I. Y. Pasa, “Pengukuran risiko dan evaluasi keamanan informasi menggunakan indeks keamanan informasi di BKD XYZ berdasarkan ISO 27001/SNI,” CyberSecurity dan Forensik Digital, vol. 4, no. 1, pp. 38–43, May 2021, doi: 10.14421/csecurity.2021.4.1.2439.

[5] Direktorat Operasi Keamanan Siber, Lanskap Keamanan Siber Indonesia 2024, Jakarta, Indonesia: Badan Siber dan Sandi Negara (BSSN), 2024.

[6] W. Yunanri, “Analisis keamanan pada web aplikasi Open Journal System terhadap serangan Cross Site Scripting (XSS) menggunakan metode vulnerability assessment,” Digital Transformation Technology (Digitech), vol. 3, no. 1, pp. 83–90, Mar. 2023, doi: 10.47709/digitech.v3i1.2476.

[7] I. P. Saputra and A. Hidayat, “XSS injection vulnerability pada Open Journal Systems (OJS),” Bulletin of Network Engineer and Informatics, vol. 3, no. 1, pp. 29–33, Apr. 2025, doi: 10.59688/bufnets.v3i1.69.

[8] Mifthahuddin, H. J. Setyadi, and M. R. Ibrahim, “Penetration testing website e-journals metode NIST SP 800-115 dan OWASP,” Media Teknologi Informasi dan Komputer (METIK), vol. 9, no. 1, pp. 72–81, Jun. 2025, doi: 10.47002/metik.v9i1.1030.

[9] D. Supriadi, E. Suryadi, R. Muslim, and L. D. Samsumar, “Implementasi vulnerability assesment OWASP (Open Web Application Security Project) pada website Universitas Teknologi Mataram,” Journal of Data Analytics, Information, and Computer Science (JDAICS), vol. 1, no. 4, pp. 232–240, Oct. 2024, doi: 10.70248/jdaics.v1i4.1368.

[10] H. Kashyap, “PKP Open Journals System 3.3 - Cross-Site Scripting (XSS),” Exploit Database, 2022. [Online]. Available: https://www.exploit-db.com/exploits/50881 (accessed Oct. 15, 2025).

[11] Riswanda, “Kerentanan keamanan Open Journal System,” Universitas Muhammadiyah Surabaya, 2025. [Online]. Available: https://lp2ihki.um-surabaya.ac.id/homepage/news_article?slug=kerentanan-keamanan-open-journal-system (accessed Oct. 5, 2025).

[12] H. Sulaeman and A. Takwim, “Analisa kualitas keamanan pada aplikasi SLiMS Akasia dengan metode NIST SP 800-115 dan OWASP,” in Proc. Seminar Nasional Penelitian (SEMNAS CORISINDO 2024), Bandung, Indonesia, Oct. 2024, pp. 500–506.

[13] Y. Ginanjar, “Strategi Indonesia membentuk cyber security dalam menghadapi ancaman cyber crime melalui Badan Siber dan Sandi Negara,” Jurnal Dinamika Global, vol. 7, no. 2, pp. 295–316, Dec. 2022, doi: 10.36859/jdg.v7i02.1187.

[14] Purwadi and Irwansyah, “Prospek dan tantangan industri penerbitan jurnal dan prosiding melalui teknologi e-publishing di era digital,” BACA: Jurnal Dokumentasi dan Informasi, vol. 41, no. 1, pp. 87–98, Jun. 2020, doi: 10.14203/j.baca.v41i1.509.

[15] E. Z. Darojat, E. Sediyono, and I. Sembiring, “Vulnerability assessment website e-government dengan NIST SP 800-115 dan OWASP menggunakan web vulnerability scanner,” Jurnal Sistem Informasi Bisnis, vol. 12, no. 1, pp. 36–44, Sep. 2022, doi: 10.21456/vol12iss1pp36-44.

[16] OWASP, “OWASP Risk Rating Methodology,” OWASP, 2025. [Online]. Available: https://owasp.org/www-community/OWASP_Risk_Rating_Methodology (accessed Nov. 7, 2025).

[17] S. A. Nugroho and T. Rochmadi, “Analisis keamanan sistem informasi Pusaka Magelang menggunakan Open Web Application Security Project (OWASP) dan Information Systems Security Assessment Framework (ISSAF),” Cyber Security dan Forensik Digital, vol. 7, no. 1, pp. 56–61, May 2024, doi: 10.14421/csecurity.2024.7.1.4555.

[18] A. Luthfi, E. H. Nurkifli, and I. Maulana, “Security testing (white box penetration testing) pada authentication sistem login website,” Jurnal Ilmiah Informatika (JIF), vol. 13, no. 2, pp. 184–189, Sep. 2025, doi: 10.33884/jif.v13i02.10660.

[19] S. Handaya and R. Islamadina, “Implementasi penetration testing pada aplikasi web sistem evaluasi data bidang TIK Polda Aceh menggunakan metode OWASP dan NIST SP 800-115,” Cyberspace: Jurnal Pendidikan Teknologi Informasi, vol. 9, no. 1, pp. 27–41, Mar. 2025, doi: 10.22373/cj.v9i1.27978.

[20] A. A. Chandra, A. T. Zy, and A. Nugroho, “Penerapan teknik penetration testing terhadap Cross Site Sripting (XSS) dalam pengembangan website,” RABIT: Jurnal Teknologi dan Sistem Informasi Univrab, vol. 9, no. 2, pp. 262–270, Jul. 2024, doi: 10.36341/rabit.v9i2.4822.

[21] M. K. Putri and A. R. Hakim, “Perancangan manajemen risiko keamanan informasi layanan jaringan MKP berdasarkan kerangka kerja ISO/IEC 27005:2018 dan NIST SP 800-30 Revisi 1,” Jurnal Info Kripto, vol. 15, no. 3, pp. 133–141, Nov. 2021, doi: 10.56706/ik.v15i3.34.

[22] S. Aprianti, R. P. Sari, and I. Rusi, “Manajemen risiko keamanan Simbada menggunakan metode NIST SP 800-30 Revisi 1 dan kontrol ISO/IEC 27001:2013,” Jurnal Buana Informatika, vol. 14, no. 1, pp. 50–59, Apr. 2023, doi: 10.24002/jbi.v14i01.7043.

[23] F. Septian, M. H. Arfian, J. S. Asri, and B. Tjahjono, “Pengujian keamanan website dengan metode penetration testing (studi kasus: Universitas Esa Unggul),” Innovative: Journal of Social Science Research, vol. 4, no. 5, pp. 3629–3647, 2024.

[24] M. B. Imtias, K. Umam, H. Mustofa, and M. H. Subowo, “Comparative analysis of penetration testing frameworks: OWASP, PTES, and NIST SP 800-115 for detecting web application vulnerabilities,” Journal of Applied Informatics and Computing (JAIC), vol. 9, no. 6, pp. 3689–3696, 2025, doi: 10.30871/jaic.v9i6.9846.

[25] N. Hidayat and M. A. Nugroho, “Analisis celah keamanan pada website SMA Negeri 3 Berau dengan metode penetration testing,” Journal of Information System Management (JOISM), vol. 6, no. 2, pp. 102–108, 2025, doi: 10.24076/joism.2025v6i2.1858.