Analisa Kerentanan Website Terhadap Serangan Cross-Site Scripting (XSS) Metode Penetration Testing
DOI:
https://doi.org/10.14421/csecurity.2024.7.1.4432Abstract
Serangan cross-site scripting (XSS) merupakan salah satu jenis serangan web yang berbahaya. Serangan ini dapat digunakan untuk mencuri data pengguna, melakukan phising, atau menjalankan skrip berbahaya di browser pengguna. Penelitian ini bertujuan untuk: Menganalisis dan mengidentifikasi kerentanan XSS pada situs website dengan menggunakan metode Penetration Testing serta memberikan rekomendasi kepada pihak PT. Tricon Metalindo Perkasa dari hasil pentest yang telah dilakukan. Metode yang digunakan adalah metode penetrasi testing dengan menggunakan tools OWASP Zap dan Hackbar. Hasil penelitian menemukan alert dianataranya Vulnerable JS Library, X-Frame-Options Header Not Set, Absence Of Anti-CSRF Tokens, Cross-Domain JavaScript Source File Inclusion, Incomplete or No Cache-Control and Pragma HTTP Header Set dan X-Content-Type-Options-Header Missing dengan Risk tingkat menengah (medium) sebanyak 2 temuan, tingkat rendah (low) sebanyak 4 dan condifence tingkat menengah (medium) sebanyak 6 dan menunjukkan bahwa terdapat kerentanan XSS pada website PT. Tricon Metalindo Perkaasa, kerentanan tersebut berupa Reflected XSS yang terletak pada kolom input pencarian dengan tingkat risk medium, kerentanan ini dapat di exsploitation oleh penyerang untuk menampilkan pop-up, melakukan phising, atau mencuri data pengguna.
----------------------------
Cross-site scripting (XSS) attacks are a malicious form of web attacks. These attacks can be used to steal user data, perform phishing, or run malicious scripts in the user's browser. This study aims to: Analyze and identify XSS vulnerability on websites using Penetration Testing method and provide recommendations to PT. Tricon Metalindo Mighty from the results of the pentest that has been carried out. The method used is penetration testing using OWASP Zap and Hackbar tools. The research findings revealed several alerts, including Vulnerable JS Library, X-Frame-Options Header Not Set, Absence of Anti-CSRF Tokens, Cross-Domain JavaScript Source File Inclusion, Incomplete or No Cache-Control and Pragma HTTP Header Set, and Missing X-Content-Type-Options-Header. There were 2 findings categorized as medium risk, 4 findings as low risk, and 6 findings with medium confidence level. These findings indicate the presence of XSS vulnerabilities on the PT. Tricon Metalindo Perkasa website, specifically in the form of reflected XSS located in the search input column with a medium-risk level. This vulnerability can be exploited by attackers to display pop-ups, carry out phishing attempts, or steal user data.
Keywords: cross-site scripting (XSS), reflected XSS, OWASP Zap, Penetration
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 Ade Gustiyonoo
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
You are free to:
- Share — copy and redistribute the material in any medium or format
- Adapt — remix, transform, and build upon the material for any purpose, even commercially.
Under the following terms:
- Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
- ShareAlike — If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
- No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.
