Security Assessment of E-Commerce Website Using NIST SP 800-115 Based on OWASP Top 10
DOI:
https://doi.org/10.47065/bulletincsr.v6i4.1186Keywords:
OWASP TOP 10 2021; E-Commerce; Penetration Testing; NIST SP 800-115; Security TestingAbstract
The rapid growth of e-commerce platforms in Indonesia has increased the risk of cyber threats targeting sensitive user data, including personal information and payment details. PT. XYZ, a mattress company that recently launched its first e-commerce website, has attracted 42,222 visitors and generated revenue of Rp994,878,300 within its first six months, yet has never undergone any form of security testing. This raises serious concerns, as undetected vulnerabilities may expose the platform to identity theft, data breaches, and unauthorized access. This study aims to identify existing security vulnerabilities, determine the severity level of each finding, and provide concrete remediation recommendations before those vulnerabilities are exploited. The assessment was conducted using the NIST SP 800-115 framework across four phases: Planning, Discovery, Attack, and Reporting, with vulnerability classification based on OWASP Top 10 (2021). The Discovery phase utilized Google Dorking, WHOIS, wfuzz, Wappalyzer, Nmap, Burp Suite, and OWASP ZAP to gather intelligence and identify weaknesses. The Attack phase successfully exploited six confirmed vulnerabilities: Clickjacking, CSP Header Not Set, Vulnerable JS Library, Cross-Domain Misconfiguration, Source Code Disclosure, and Username Enumeration and Brute Force, mapped to OWASP categories A05, A06, and A07, with risk levels ranging from Medium to High. This research contributes by demonstrating that newly deployed platforms are not inherently secure and that integrating NIST SP 800-115 with OWASP Top 10 provides a structured approach to identifying real security vulnerabilities in e-commerce systems.
Downloads
References
Munir Azhari and Breda Kustanto, “Penerapan E-Commerce Dalam Meningkatkan Daya Saing Ekonomi Di Era Teknologi Informasi,” Aliansi?: Jurnal Manajemen dan Bisnis, vol. 19, no. 2, pp. 193–210, Dec. 2024, doi: https://doi.org/10.46975/ka212950.
D. I. Maharani, “Pages 201-210 Perekonomian di Era Transformasi Digital,” Jurnal Simki Economic, vol. 7, no. 1, pp. 201–210, Jan. 2024, doi: https://doi.org/10.29407/jse.v7i1.493.
Nouvan, “Jumlah Serangan Siber di Indonesia Naik, Tembus 610 Juta pada 2024,” Dataloka. Accessed: Jun. 29, 2026. [Online]. Available: https://dataloka.id/politik/4259/jumlah-serangan-siber-di-indonesia-naik-tembus-610-juta-pada-2024/
Nia Ramadhani and Muhammad Irwan Padli Nasution, “Tantangan Dan Solusi Keamanan Siber Dalam Transaksi E-Commerce,” JURNAL PENELITIAN SISTEM INFORMASI (JPSI), vol. 2, no. 2, pp. 134–144, May 2024, doi: https://doi.org/10.54066/jpsi.v2i2.1930.
OWASP (Open Worldwide Application Security Project), “A01 Broken Access Control - OWASP Top 10:2021,” OWASP.
R. Ernitasari, S. Ramdhani, and M. Gowon, “Keamanan E-Commerce: Cara Menjaga Data Pribadi Tetap Aman,” JURNAL SIBER MULTI DISIPLIN, no. 3, pp. 213–223, Dec. 2025, doi: https://doi.org/10.38035/jsmd.v3i3.
K. Scarfone, M. Souppaya, A. Cody, and A. Orebaugh, “Technical Guide to Information Security Testing and Assessment ,” NIST Special Publication (SP) 800-115, Sep. 2008, doi: https://doi.org/10.6028/NIST.SP.800-115.
H. Jati Setyadi and M. Rivani Ibrahim, “Penetration Testing Website E-Journals Metode NIST SP 800-115 dan OWASP,” METIK JURNAL, vol. 9, no. 1, pp. 72–81, Jun. 2025, doi: https://doi.org/10.47002/metik.v9i1.1030.
R. Al Ridwan Bintang Firdaus and T. Ismardiko Widyawan, “Pengujian Kerentanan Website Menggunakan Metode Penetration Testing Dengan OWASP (Studi Kasus?: Pemerintah Kabupaten Semarang),” CyberSecurity dan Forensik Digital, vol. 8, no. 2, pp. 106–115, Dec. 2025, doi: https://doi.org/10.14421/csecurity.2025.8.2.5372.
M. Yuwan, S. Nacikit, M. Rahman, and A. E. Wardoyo, “Analisis Keamanan Aplikasi Berbasis Web Menggunakan Metode Penetration Testing (Studi kasus: E-Commerce As-Sakinah Mart),” Informatics for Educators And Professionals?: Journal of Informatics, vol. 10, no. 1, pp. 25–33, Apr. 2025, doi: https://doi.org/10.51211/itbi.v10i1.3324.
M. Fierza and E. Erlangga, “Analisa Celah Keamanan Dalam Pengembangan Website E-Commerce (Studi Kasus: Mataharimu.Com),” Jurnal Ilmiah Computing Insight, vol. 3, no. 2, p. 20, Aug. 2022, doi: https://doi.org/10.30651/comp_insight.v3i2.14535.
A. R. Supriyatna, I. Asrowardi, S. D. Putra, and E. Subyantoro, “Analisis Kerentanan Aplikasi Web E-commerce Berdasarkan Standar OWASP Top 10: Studi Kasus pada Situs Kopi Lampung Nusantara,” EXPERT: Jurnal Manajemen Sistem Informasi dan Teknologi, vol. 14, no. 2, p. 95, Dec. 2024, doi: https://doi.org/10.36448/expert.v14i2.4034.
M. Fahrul Reza and I. Sutanto, “Penerapan Pentesting pada EasyCart untuk Menghadapi Ancaman Keamanan Siber,” IKRAITH-INFORMATIKA, vol. 10, no. 1, pp. 96–105, Nov. 2025, doi: https://doi.org/10.37817/ikraith-informatika.v9i3.
H. Herman, I. Riadi, Y. Kurniawan, and I. A. Rafiq, “Analisis Keamanan Website Menggunakan Information System Security Asessment Framework(ISSAF),” Jurnal Teknologi Informatika dan Komputer, vol. 9, no. 1, pp. 126–136, Mar. 2023, doi: https://doi.org/10.37012/jtik.v9i1.1439.
F. T. Vierino, H. E. Wahanani, and A. Junaidi, “Evaluating Web Application Security Using OWASP Top 10 and NIST SP 800-115,” bit-Tech, vol. 8, no. 3, pp. 3754–3764, Apr. 2026, doi: https://doi.org/10.32877/bt.v8i3.3702.
Ilham Akbar, Khairunnisak Nur Isnaini, and Banu Dwi Putranto, “Penetration Testing Through NIST SP 800-115 and OWASP TOP 10 With Risk Analysis Using CVSS on the XY Diskominfo Website,” Journal of Innovation Information Technology and Application (JINITA), vol. 7, no. 2, pp. 314–326, Dec. 2025, doi: https://doi.org/10.35970/jinita.v7i2.2907.
E. Z. Darojat, E. Sediyono, and I. Sembiring, “Vulnerability Assessment Website E-Government dengan NIST SP 800-115 dan OWASP Menggunakan Web Vulnerability Scanner,” JURNAL SISTEM INFORMASI BISNIS, vol. 12, no. 1, pp. 36–44, Sep. 2022, doi: https://doi.org/10.21456/vol12iss1pp36-44.
D. Rohmaniah, W. Miftahul Ashari, and A. Dwi Putra, “Enhancing Website Security Using Vulnerability Assessment and Penetration Testing (VAPT) Based on OWASP Top Ten,” Journal of Applied Informatics and Computing (JAIC), vol. 9, no. 2, pp. 404–411, Mar. 2025, doi: https://doi.org/10.30871/jaic.v9i2.9069.
A. Agustinus and I. Sembiring, “Website Vulnerability Testing Using The Penetration Testing Method Referring To Nist Sp 800 – 155 (Case Study (Astonprinter.com Domain)),” Jurnal Teknik Informatika (Jutif), vol. 5, no. 6, pp. 1651–1662, Dec. 2024, doi: https://doi.org/10.52436/1.jutif.2024.5.6.3859.
M. Bunan Imtias, K. Umam, H. Mustofa, and M. Hadi Subowo, “Comparative Analysis of Penetration Testing Frameworks: OWASP, PTES, and NIST SP 800-115 for Detecting Web Application Vulnerabilities,” Journal of Applied Informatics and Computing (JAIC), vol. 9, no. 6, p. 3689, Dec. 2025, doi: https://doi.org/10.30871/jaic.v9i6.9846.
Bila bermanfaat silahkan share artikel ini
Berikan Komentar Anda terhadap artikel Security Assessment of E-Commerce Website Using NIST SP 800-115 Based on OWASP Top 10
ARTICLE HISTORY
How to Cite
Issue
Section
Copyright (c) 2026 Arif Setyo Wibowo, Henni Endah Wahanani, Andreas Nugroho Sihananto

This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under Creative Commons Attribution 4.0 International License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (Refer to The Effect of Open Access).













