Analisis Keamanan Website Perguruan Tinggi di Nusa Tenggara Barat
Security Analysis of University Websites in West Nusa Tenggara Against SQL Injection, XSS, and IDOR Attacks Through Penetration Testing
Abstract
This research analyzes the security posture of university websites in West Nusa Tenggara against SQL Injection (SQLi), Cross Site Scripting (XSS), and Insecure Direct Object Reference (IDOR) attacks through penetration testing methodologies. The study combines automated scanning using Xray and SQLMap with manual validation using Burp Suite to provide comprehensive vulnerability assessment. Each finding is evaluated using CVSS v3.1 scoring methodology to quantify severity and prioritize remediation. The research identifies that 50% of tested university websites are vulnerable to XSS, 30% to SQL Injection, and 20% to IDOR, with the highest observed CVSS score reaching 9.0 (Critical).
Research Background
Higher education institutions in Indonesia increasingly rely on web-based systems for academic operations, student management, and public information dissemination. However, the security posture of these web applications often receives insufficient attention, creating potential attack surfaces for malicious actors. This research addresses this gap by conducting systematic penetration testing against university websites in the West Nusa Tenggara region.
The study focuses on three prevalent web application vulnerability classes — SQL Injection, Cross Site Scripting, and Insecure Direct Object Reference — which consistently rank among the OWASP Top 10 and represent significant risks to data confidentiality, integrity, and availability in educational environments.
Penetration Testing Methodology
The research employs a structured penetration testing methodology combining automated and manual approaches across multiple phases:
SQL Injection Analysis
SQL Injection testing was conducted using a combination of Xray automated scanning and SQLMap manual exploitation. Initial automated scans identified potential injection points, which were then validated through targeted SQLMap testing with appropriate tamper scripts. The research distinguished between true positives and false positives through manual verification, ensuring accuracy in the final vulnerability assessment.
30% of tested university websites contained exploitable SQL Injection vulnerabilities, with the highest severity reaching CVSS 9.0 (Critical). Successful exploitation demonstrated potential for unauthorized database access, data exfiltration, and in some cases, operating system command execution.
Cross Site Scripting Analysis
XSS testing focused on identifying reflected Cross Site Scripting vulnerabilities through Burp Suite payload injection. Multiple input vectors were tested including search fields, form parameters, and URL query strings. Payloads were crafted to bypass common client-side filters and validate browser execution in the context of the target application origin.
50% of tested university websites were vulnerable to Cross Site Scripting attacks. The predominant vulnerability type was Reflected XSS, which enables session hijacking, credential theft, and phishing attacks within the trusted application context.
IDOR Analysis
Insecure Direct Object Reference testing involved systematic manipulation of object identifiers (user IDs, document IDs, and resource parameters) to assess authorization enforcement. The research evaluated whether the applications properly validated user permissions before granting access to requested resources.
20% of tested websites contained IDOR vulnerabilities enabling unauthorized access to other users' data through parameter manipulation. The findings highlight insufficient server-side authorization validation in academic web applications.
Research Findings
| Vulnerability | Affected | Max CVSS | Severity |
|---|---|---|---|
| Cross Site Scripting (XSS) | 50% | 7.1 | HIGH |
| SQL Injection (SQLi) | 30% | 9.0 | CRITICAL |
| Insecure Direct Object Reference | 20% | 6.5 | MEDIUM |
Academic Contribution
This research contributes to the body of knowledge in cybersecurity for Indonesian higher education by providing empirical penetration testing data and actionable security recommendations. The study establishes a replicable methodology for assessing web application security in academic environments and highlights the critical need for security awareness and investment in the education sector.
This research was conducted under authorized penetration testing agreements with the target institutions. All findings were reported through responsible disclosure processes. Specific target identifiers and exploitation details have been anonymized in accordance with ethical research practices.