APPLICATION OF OWASP ZAP FRAMEWORK FOR SECURITY ANALYSIS OF LMS USING PENTEST METHOD
Abstract
Learning Management System (LMS) is an application currently popular for online learning. The presence of LMS offers better prospects for the world of education, where its highly efficient use allows learning anywhere and anytime through the internet or other computer media. This study focuses on analyzing the security of the Learning Management System (LMS) on the domain e-learning.ibm.ac.id using the Pentest method with the Owasp Zap Framework. Security is a crucial step that needs to be considered by IBM Bekasi in protecting data and information from hacker threats. In this study, the method used is Pentest. Pentest is a series of methods used to test the security of a system by conducting literature studies, searching for data information, and domain information, followed by testing using Owasp Zap to find security-related vulnerabilities. The results of the testing using the Pentest method involve several stages of testing and scanning. The first step is checking domain information using Whois Lookup tools and then scanning using ZenMap on e-learning.ibm.ac.id. In this domain information search, the domain status serverTransferProhibited and clientTransferProhibited was found. The next stage is Vulnerability Analysis, where scanning is performed on the domain e-learning.ibm.ac.id using Owasp Zap tools. Based on the results from Owasp Zap scan, 16 vulnerabilities were found, with the breakdown being 2 high risk, 3 medium risk, 6 low risk, and 5 informational. In the exploitation stage using SQLMap, errors were found in the tested parameters, preventing injection.
Downloads
References
P. Vassilakopoulou and E. Hustad, “Bridging Digital Divides: a Literature Review and Research Agenda for Information Systems Research,” Inf. Syst. Front., vol. 25, no. 3, pp. 955–969, 2023, doi: 10.1007/s10796-020-10096-3.
C. Collins, D. Dennehy, K. Conboy, and P. Mikalef, “Artificial intelligence in information systems research: A systematic literature review and research agenda,” Int. J. Inf. Manage., vol. 60, no. November 2020, p. 102383, 2021, doi: 10.1016/j.ijinfomgt.2021.102383.
R. Sacks, I. Brilakis, E. Pikas, H. S. Xie, and M. Girolami, “Construction with digital twin information systems,” Data-Centric Eng., vol. 1, no. 6, p. e14, 2020, doi: 10.1017/dce.2020.16.
M. Bond, K. Buntins, S. Bedenlier, O. Zawacki-Richter, and M. Kerres, “Mapping research in student engagement and educational technology in higher education: a systematic evidence map,” Int. J. Educ. Technol. High. Educ., vol. 17, no. 1, pp.1-30, 2020, doi: 10.1186/s41239-019-0176-8.
F. E. Perdima, S. Suwarni, and N. Gazali, “Educational technology in physical education learning: A bibliometric analysis using Scopus database,” Sport TK, vol. 11, no. 19, pp. 1–16, 2022, doi: 10.6018/sportk.517091.
V. M. Bradley, “Learning Management System (LMS) Use with Online Instruction,” Int. J. Technol. Educ., vol. 4, no. 1, p. 68, 2020, doi: 10.46328/ijte.36.
C. Sisavath and L. Yu, “Design and implementation of security system for smart home based on IOT technology,” Procedia Comput. Sci., vol. 183, pp. 4–13, 2021, doi: 10.1016/j.procs.2021.02.023.
M. Krishna, S. M. B. Chowdary, P. Nancy, and V. Arulkumar, “A Survey on Multimedia Analytics in Security Systems of Cyber Physical Systems and IoT,” Proc. - 2nd Int. Conf. Smart Electron. Commun. ICOSEC 2021, pp. 1–7, 2021, doi: 10.1109/ICOSEC51865.2021.9591754.
C. Chakraborty, S. M. Nagarajan, G. G. Devarajan, T. V Ramana, and R. Mohanty, “Intelligent AI-based Healthcare Cyber Security System using Multi-Source Transfer Learning Method,” ACM Trans. Sens. Networks, 2023, doi: 10.1145/3597210.
A. Y. A. B. Ahmad, S. S. Kumari, S. MahabubBasha, S. K. Guha, A. Gehlot, and B. Pant, “Blockchain Implementation in Financial Sector and Cyber Security System,” 2023 Int. Conf. Artif. Intell. Smart Commun. AISC 2023, pp. 586–590, 2023, doi: 10.1109/AISC56616.2023.10085045.
Nurbojatmiko, A. Lathifah, F. Bil Amri, and A. Rosidah, “Security Vulnerability Analysis of the Sharia Crowdfunding Website Using OWASP-ZAP,” 2022 10th Int. Conf. Cyber IT Serv. Manag. CITSM 2022, pp. 1–5, 2022, doi: 10.1109/CITSM56380.2022.9935837.
S. Alazmi and D. C. De Leon, “A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability Scanners,” IEEE Access, vol. 10, pp. 33200–33219, 2022, doi: 10.1109/ACCESS.2022.3161522.
R. S. Devi and M. M. Kumar, “esting for security weakness of web applications using ethical hacking,” n 2020 4th International Conference on Trends in Electronics and Informatics (ICOEI), pp. 354–361, 2020.
H. S. Abdullah, “Evaluation of Open Source Web Application Vulnerability Scanners,” Acad. J. Nawroz Univ., vol. 9, no. 1, p. 47, 2020, doi: 10.25007/ajnu.v9n1a532.
F. Y. Fauzan and Syukhri, “Analisis Metode Web Security PTES ( Penetration Testing Execution And Standart ) Pada Aplikasi E-Learning Universitas Negeri Padang dari keamanan web adalah sebanyak 96 dengan disimpulkan Acunetix Threat Level 2 yaitu pada level Medium yang artinya tidak,” J. Vocat. Tek. Elektron. dan Inform., vol. 9, no. 2, 2021, [Online]. Available: http://ejournal.unp.ac.id/index.php/voteknika/article/download/111778/105248
M. Aydos, Ç. Aldan, E. Coşkun, and A. Soydan, “Security testing of web applications: A systematic mapping of the literature,” J. King Saud Univ. - Comput. Inf. Sci., vol. 34, no. 9, pp. 6775–6792, 2022, doi: 10.1016/j.jksuci.2021.09.018.
E. R. Flores, “ZAP Proxy and OWASP Top 10”. Computer Science, 2023
E. Serrano-Collado, M. Garcia-Valdez, and J. J. Merelo-Guervos, “Improving evolution of service configurations for moving target defense,” 2020 IEEE Congr. Evol. Comput. CEC 2020 - Conf. Proc., pp. 1-8, 2020, doi: 10.1109/CEC48606.2020.9185786.
E. A. Altulaihan, A. Alismail, and M. Frikha, “A Survey on Web Application Penetration Testing,” Electron., vol. 12, no. 5, p. 1229, 2023, doi: 10.3390/electronics12051229.
Jobin T.J and Karthika Suresh Babu, “26Owasp_Zed_Attack_Proxy,” Natl. Conf. Emerg. Comput. Appl., vol. 3, no. 1, pp. 106–111, 2021.
M. Gibran, A. Danialdo, F. A. Bakhtiar, and M. Data, “Pengujian Efektivitas OWASP ZAP dalam Menemukan Kerentanan dari Metasploitable,” vol. 7, no. 7, pp. 3431–3433, 2023.
D. N. Astrida, A. R. Saputra, and A. I. Assaufi, “Analysis and Evaluation of Wireless Network Security with the Penetration Testing Execution Standard (PTES),” Sinkron, vol. 7, no. 1, pp. 147–154, 2022, doi: 10.33395/sinkron.v7i1.11249.
Z. A. Khan, “Penetration Testing Information System Security Assessment Framework (ISSAF),” Penetration Testing Information System Security Assessment Framework (ISSAF), vol. 4 no. 3, pp. 1593-1601, 2023.
I. Nedyalkov, “Study the Level of Network Security and Penetration Tests on Power Electronic Device”, Computers, vol. 13, no. 3, p. 81, 2024.
P. Zeng, G. Lin, L. Pan, Y. Tai, and J. Zhang, “Software vulnerability analysis and discovery using deep learning techniques: A survey,” IEEE Access, vol. 8, pp. 197158–197172, 2020, doi: 10.1109/ACCESS.2020.3034766.
Q. Zhang and F. Li, “Cyber-Vulnerability Analysis for Real-Time Power Market Operation,” IEEE Trans. Smart Grid, vol. 12, no. 4, pp. 3527–3537, 2021, doi: 10.1109/TSG.2021.3066398.
F. Heiding, E. Süren, J. Olegård, and R. Lagerström, “Penetration testing of connected households,” Comput. Secur., vol. 126, 2023, doi: 10.1016/j.cose.2022.103067.
F. L. Færøy, M. M. Yamin, A. Shukla, and B. Katt, “Automatic Verification and Execution of Cyber Attack on IoT Devices,” Sensors, vol. 23, no. 2, pp. 1–30, 2023, doi: 10.3390/s23020733.
Copyright (c) 2024 Rusydi Umar, Imam Riadi, Sonny Abriantoro Wicaksono
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
-a.jpg)
-b.jpg)
