Vulnerability Assessment and Penetration Testing (VAPT) Framework: Case Study of Government’s Website

Ahmad Almaarif; Muharman Lubis

doi:10.18517/ijaseit.10.5.8862

DOI : https://doi.org/10.18517/ijaseit.10.5.8862

Vulnerability Assessment and Penetration Testing (VAPT) Framework: Case Study of Government’s Website

Ahmad Almaarif ⁽¹⁾, Muharman Lubis ⁽²⁾

(1) School of Industrial Engineering, Telkom University, Jalan Telekomunikasi No. 1, Bandung, 40257, Indonesia

(2) School of Industrial Engineering, Telkom University, Jalan Telekomunikasi No. 1, Bandung, 40257, Indonesia

Fulltext View | Download

How to cite (IJASEIT) :

Almaarif, Ahmad, and Muharman Lubis. “Vulnerability Assessment and Penetration Testing (VAPT) Framework: Case Study of Government’s Website”. International Journal on Advanced Science, Engineering and Information Technology, vol. 10, no. 5, Oct. 2020, pp. 1874-80, doi:10.18517/ijaseit.10.5.8862.

Citation Format :

Information security often neglected by individual or employee or even by the enterprise, with there is no proper strategy to raise awareness, promote consistency and maintain performance regarding protect sensitive, confidential, and critical data. One of the common techniques used is a vulnerability assessment and penetration testing (VAPT) to assure the security strategy has been implemented into the computer system by analyzing both its strength and weakness. SQL plays an essential role in the Relation Database Management System (RDBMS) and its relationship to the existence of a website and its flexible operation because of its simplicity and integrity. To anticipate these types of threats or other Internet attacks, a goal-oriented penetration test that has a framework is recommended to identify specific types of vulnerabilities that lead to business concessions and to avoid the risks that adversely affect the enterprise Thus. This study conducts VAPT to uncover the possibility of threats and evaluate the potential impact to be reported to the system owner through a proper engagement framework that allows systematic measurement. Government websites have been identified for this purpose of the research to show the current trend that occurred in cyber communities, especially in Indonesia. This study has found various vulnerabilities lies in the directory listing, full path disclosure, PHP info disclosure, folder webserver disclosure, and other potential threats, which present 2 (two) critical, 6 (six) medium, and 2 (two) low level of risk.

Symantec Corporation. 2017 Norton Cyber Security Insight Report Global Results. Retrieved at January 2019 from: https://www.symantec.com/content/dam/symantec/docs/about/2017-ncsir-global-results-en.pdf

ITU-D. Global Cybersecurity Index (GCI) 2017. Retrieved at January 2019 from: https://www.itu.int/dms_pub/itu-d/opb/str/d-str-gci.01-2017-pdf-e.pdf

Statista. Consumer Loss Through Cyber Crime Worldwide in 2017, by Victim Country (in billion US dollars). Retrieved January 2019 from: https://www.statista.com/statistics/799875/countries-with-the-largest-losses-through-cybercrime/

R. Kuncoro. Current State of Cybersecurity Readiness and Cybercrime Enforcement Capability in Indonesia. Cybercrime Capacity Building Conference, 27-28 April 2010. Indonesiaan National Police.

A.G. Bacudio, X. Yuan, B.T.B.Chu and M. Jones. An Overview of Penetration Testing. Int. Journal of Network Security & Its Applications 3(6), pp. 19-38, 2011.

K. Palanisamy. Network Penetration Testing. White Paper: Happiest People Happiest Customer, 2014.

T.S. Gunawan, M.K. Lim, M. Kartiwi, N.A. Malik and N. Ismail. Penetration Testing using Kali Linux: SQL Injection, XSS, Wordpress and WPA2 Attacks. Indonesian J. of Electrical Engineering and Com. Science, vol. 12(2), Nov., pp. 729-737, 2018.

PTES Team. The Penetration Testing Execution Standard Documentation: Release 1.1 (February 8th, 2017). Retrieved at January 2019 from: https://media.readthedocs.org/pdf/pentest-standard/latest/pentest-standard.pdf

KSM Consulting. Cybersecurity Guide: Vulnerability Assessments and Penetration Testing. Retrieved at January 2019 from: https://www.ksmconsulting.com/wp-content/uploads/2017/10/CS-Guide_Vulnerability-Assessment-and-Penetration-Testing.pdf

S. Marsiske, A. Mishra, M. Saptarshi and P. Piolon. Penetration Test Report v.1.0. Open Tech Fund, 2018.

Cisco. Cisco Network Penetration Testing. Retrieved at January 2019 from:https://www.cisco.com/c/dam/en/us/services/collateral/se/NetPenTest-AAG.pdf

R. Ackroyd, A. Mason and G. Watson. Social Engineering Penetration Testing. Syngress, April 2014.

F. Abu-Dabaseh and E. Alshammari. Automated Penetration Testing: An Overview. 4th Inter. Conference on Natural Languange Computing (NATL) 2018.

C. Weissman. Handbook for the Computer Security Certification of Trusted Systems. IATAC (Inf. Assurance Tech. Analysis Center), DTIC (Defense Technical Inf. Center), 1996.

S. Shah and B.M. Mehtre. An Overview of Vulnerability Assessment and Penetration Testing Techniques. Journal of Computer Virology and Hacking Techniques, vol. 11(1), pp. 27-49, 2015.

R. Baloch. Ethical Hacking and Penetration Testing Guide. CRC Press: Taylor & Francis Group, 2015.

M. Lubis, N.I. Yaacob, H. Reh and M. Ambag. Study on Implementation and Impact of Google Hacking in Internet Security. Proc. of Regional Con. on Knowledge Integration in ICT, 2010.

M. Lubis, M. Kartiwi and S. Zulhuda. Election Fraud and Privacy Related Issues: Addressing Electoral Integrity. Int. Con. on Informatics and Computing (ICIC), 2016.

AR Ahlan and M. Lubis. Information Security Awareness in University: Maintaining Learnability, Performance and Adapability through Roles of Responsibility. Information Assurance and Security (IAS), 2011.

AR Ahlan, M. Lubis and A.R. Lubis. Information Security Awareness at Knowledge-Based Institution: Its Antecedents and Measures. Procedia Computer Science 72, 361-373, 2015.

A.R. Lubis, F. Fachrizal, M. Lubis and H.M. Tahir. Wireless Service at Public University: A Survey of Users Perception on Security Aspects. Proc. of Int. Conf. on Inf. and Communications Technology (ICOIACT) 2018.

S.K. Lamichhane. Penetration Testing in Wireless Networks. Bachelor Thesis, Helsinki Metropolia University of Applied Sciences, 2016.

C.T. Phong. A Study of Penetration Testing Tools and Approaches. Master Thesis, Auckland University of Technology, 2014.

K. Leiviska. Introduction to Experiment Design. University of Oulu, Control Engineering Laboratory, 2013.

W.J. Diamond. Practical Experiment Design for Engineers and Scientiests. Lifetime Learning Publications, 1981.

M. Lubis, M. Kartiwi and S. Zulhuda. Current State of Personal Data Protection in Electronic Voting: Criteria and Indicator for Effective Implementation. Telkomnika, vol. 16(1), pp. 290-301, 2018.

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors who publish with this journal agree to the following terms:

Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution LicenseÂ that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (SeeÂ The Effect of Open Access).