Evaluasi Keamanan Website Direktori Akademik Menggunakan NIST SP 800-115
DOI:
https://doi.org/10.47065/bulletincsr.v6i3.1044Keywords:
Information System Security; Web Security Testing; NIST SP 800-115; Black Box; SQL InjectionAbstract
Evaluating the security of web-based academic information systems has become crucial as cyber threats in higher education environments increase. The track record of security incidents in information systems at UIN Sultan Syarif Kasim Riau has prompted an urgent need for preventative action; therefore, the website https://seminar-fst.uin-suska.ac.id, as an active academic service that stores sensitive data, requires a proactive evaluation. Testing used a black-box testing approach through four phases: planning, discovery, attack, and reporting. The results revealed a critical vulnerability in the form of SQL injection in URL parameters, which allows unauthorized database enumeration (MariaDB), thus threatening data confidentiality and integrity. Additionally, medium-level vulnerabilities were discovered, such as the use of an outdated JavaScript library (Moment.js 2.8.1) and misconfiguration of HTTP security headers, including the absence of a Content Security Policy (CSP) and an Anti-CSRF mechanism. Recommendations include prepared statements, strict input validation, updating dependencies, and strengthening security configurations.
Downloads
References
I. M. A. S. Permana, I. G. P. K. Juliharta, and I. G. J. E. Putra, “Analisis Keamanan Sistem Informasi Menggunakan Metode Vulnerability Assesment pada Aplikasi Web Karangasem. go. id,” REMIK Ris. dan E-Jurnal Manaj. Inform. Komput., vol. 9, no. 2, pp. 466–473, 2025, doi: http://doi.org/10.33395/remik.v9i2.14561.
H. H. Solihin et al., Konsep Sistem Informasi di Era Digital. Kaizen Media Publishing, 2024.
E. Z. Darojat, E. Sediyono, and I. Sembiring, “Vulnerability Assessment Website E-Government dengan NIST SP 800-115 dan OWASP Menggunakan Web Vulnerability Scanner,” J. Sist. Inf. Bisnis, vol. 12, no. 1, pp. 36–44, 2022, doi: https://doi.org/10.21456/vol12iss1pp36-44.
A. Afrizal and A. Angraini, “Perancangan Cetak Biru Teknologi Informasi Dengan Zachman Framework (Studi kasus: PTIPD UIN Suska Riau),” J. Ilm. Rekayasa dan Manaj. Sist. Inf., vol. 2, no. 1, pp. 15–18, 2024, doi: http://dx.doi.org/10.24014/rmsi.v2i1.1687.
I. Maita and M. R. Muttaqin, “Layanan Konsultasi Penasehat Akademik Berbasis Android di Fakultas Sains dan Teknologi UIN Suska Riau,” J. Sains, Teknol. dan Ind., 2023, doi: http://dx.doi.org/10.24014/sitekin.v19i2.16618.
Z. A. Khan, “Penetration Testing Information System Security Assessment Framework (ISSAF),” Penetration Test. Inf. Syst. Secur. Assess. Framew., vol. 4, no. 3, pp. 1593–1601, 2023, doi: https://doi.org/10.30865/klik.v4i3.1507.
A. Agustinus and I. Sembiring, “Website Vulnerability Testing Using The Penetration Testing Method Referring To NIST SP 800–155 (Case Study (Astonprinter. com Domain)),” J. Tek. Inform., vol. 5, no. 6, pp. 1651–1662, 2024, doi: https://doi.org/10.52436/1.jutif.2024.5.6.3859.
F. Mambo, D. Yuniarto, and D. Setiadi, “Evaluasi Keamanan Website dengan Menggunakan Metode NIST SP 800-115,” Pop. J. Penelit. Mhs., vol. 3, no. 4, pp. 255–264, 2024, doi: https://doi.org/10.58192/populer.v3i4.2805.
S. A. Maherza, “Penetration testing terhadap website sekolah menengah atas ABC dengan metode NIST SP 800-115,” Universitas Pembangunan Nasional Veteran Jakarta, 2022. [Online]. Available: http://repository.upnvj.ac.id/id/eprint/20860
M. B. Imtias, K. Umam, H. Mustofa, and M. H. Subowo, “Comparative Analysis of Penetration Testing Frameworks: OWASP, PTES, and NIST SP 800-115 for Detecting Web Application Vulnerabilities,” J. Appl. Informatics Comput., vol. 9, no. 6, pp. 3689–3696, 2025, doi: https://doi.org/10.30871/jaic.v9i6.9846.
K. Scarfone, M. Souppaya, A. Cody, and A. Orebaugh, “Technical guide to information security testing and assessment,” NIST Spec. Publ., vol. 800, no. 115, pp. 2–25, 2023, doi: https://doi.org/10.6028/NIST.SP.800-115.
M. Mifthahuddin, H. J. Setyadi, and M. R. Ibrahim, “Penetration Testing Website E-Journals Metode NIST SP 800-115 dan OWASP,” METIK J. (AKREDITASI SINTA 3), vol. 9, no. 1, pp. 72–81, 2025, doi: https://doi.org/10.47002/metik.v9i1.1030.
R. A. Wibowo and S. Widyarto, “Kajian Pustaka: Penetration Testing dengan NIST SP 800-115 dan OSSTMM,” in Proceedings of the Informatics Conference, 2020, pp. 96–111. [Online]. Available: https://ojs.journals.unisel.edu.my/index.php/icf/article/view/96
S. Handaya and R. Islamadina, “Imlementasi Penetration Testing Pada Aplikasi Web Sistem Evaluasi Data Bidang Tik Polda Aceh Menggunakan Metode Owasp Dan Nist Sp 800-115,” Cybersp. J. Pendidik. Teknol. Inf., vol. 9, no. 1, pp. 27–41, 2025, doi: https://doi.org/10.22373/cj.v9i1.27978.
A. Muhammad, A. I. Hadiana, and R. Ilyas, “Eksploitasi Broken Access Control Untuk Eskalasi Hak Akses Pada LMS Universitas XYZ,” J. Algoritm., vol. 22, no. 2, pp. 1–11, 2025, doi: https://doi.org/10.33364/algoritma/v.1-1.2287.
M. Syani, R. Nurhakim, F. R. Pratama, H. Maulana, A. Nurdin, and B. Pamungkas, “Uji Keamanan Aplikasi Website XYZ Menggunakan Burp Suite Berdasarkan Kerangka NIST SP 800-115,” J. Sist. Inf. Galuh, vol. 3, no. 2, pp. 54–60, 2025, doi: https://doi.org/10.25157/jsig.v3i2.4965.
I. M. Raazi, M. Malahayati, B. Basrul, R. Malia, and M. Fadhli, “Analysis server security assessment of staffing management information system using the NIST SP 800-115 method at UIN Ar-Raniry Banda Aceh,” Circuit J. Ilm. Pendidik. Tek. Elektro, vol. 8, no. 1, pp. 46–58, 2024, doi: https://doi.org/10.22373/crc.v8i1.20808.
R. S. Wiandani, M. Tahir, I. A. Dyransyha, and R. Ummah, “Identifikasi Serangan SQL Injection Berbantuan Aplikasi Pengujian Keamanan Web DVWA (Damn Vulnerable Web Application),” Digit. Transform. Technol., vol. 5, no. 1, pp. 375–382, 2025, doi: https://doi.org/10.47709/digitech.v5i1.5922.
M. Syani, T. F. Mustafa, H. M. Falah, T. Rohayati, and U. A. Rosid, “Vulnerability Assessment pada Situs XYZ Menggunakan Web Vulnerability Scanner Burp Suite,” J. Sist. Inf. Galuh, vol. 3, no. 2, pp. 47–53, 2025, doi: https://doi.org/10.25157/jsig.v3i2.4961.
M. Arifudin, F. Z. Sholeha, and L. F. Umami, “Planning (Perencanaan) Dalam Manajemen Pendidikan Islam,” MA’ALIM J. Pendidik. Islam, vol. 2, no. 02, pp. 162–183, 2021, doi: https://doi.org/10.21154/maalim.v2i2.3720.
M. A. Rojabi, Penetration Testing Profesional: Cara Menguasai Skill Hacking Legal. Afdan Rojabi Publisher, 2025.
G. T. Wandinil and R. Islamadina, “Penerapan Penetration Testing Pada Website Laporan Harian Polda Aceh Menggunakan Metode Nist,” J. Transform. Pendidik., vol. 6, no. 3, 2025, [Online]. Available: https://ejurnals.com/ojs/index.php/jtp/article/view/2738.
Bila bermanfaat silahkan share artikel ini
Berikan Komentar Anda terhadap artikel Evaluasi Keamanan Website Direktori Akademik Menggunakan NIST SP 800-115
ARTICLE HISTORY
How to Cite
Issue
Section
Copyright (c) 2026 Fito Nardian, Rahmad Abdillah, Benny Sukma Negara, Reski Mai Candra
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under Creative Commons Attribution 4.0 International License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (Refer to The Effect of Open Access).
