Evaluasi Kerentanan Insecure Direct Object Reference pada Aplikasi Pendaftaran Sidang Universitas XYZ

Stefanus Eko Prasetyo; Haeruddin; Tiara

doi:10.52158/jacost.v5i2.873

Stefanus Eko Prasetyo Universitas Internasional batam
Haeruddin Universitas Internasional Batam
Tiara Universitas Internasional Batam

DOI: https://doi.org/10.52158/jacost.v5i2.873
I will put the dimension here

Keywords: Higher Education Application Security; Personal Data Protection; Security Vulnerability; Action Research Methodology.

Abstract

This study aims to analyze and evaluate the vulnerability of Insecure Direct Object Reference (IDOR) in the thesis registration web application at XYZ University, as well as to provide improvement recommendations to enhance the security of students' personal data. The IDOR vulnerability allows unauthorized access to students' personal documents, which can jeopardize privacy and information security. Utilizing an action research methodology consisting of four stages: diagnosis, action taking, evaluation, and learning, this research identifies the URL patterns generated when students upload documents such as ID cards, family cards, birth certificates, diplomas, and photos. During the action-taking phase, the researcher conducts attacks using Burp Suite to test the vulnerability by modifying URL parameters based on the identified patterns. The testing results indicate that all documents can be accessed without proper authorization, with a status code of 200 indicating successful access. These findings underscore the necessity for stricter security improvement measures in the thesis registration application to protect students' personal data. The implications of this research highlight the importance of implementing tighter access controls and better input validation in higher education applications to prevent potential data leaks in the future. This study makes a significant contribution to enhancing information security within educational environments.

Downloads

Download data is not yet available.

References

A. Adisel, “Manajemen Sistem Informasi Pembelajaran,” Journal of Administration and Educational Management (Alignment), vol. 2, no. 2, 2019, doi: 10.31539/alignment.v2i2.900.

R. S. Perdana, “Audit Keamanan Sistem Informasi Akademik Menggunakan Framework NIST Sp 800-26 (Studi Kasus : Universitas Sangga Buana YPKP Bandung),” Infotronik : Jurnal Teknologi Informasi dan Elektronika, vol. 3, no. 1, 2018, doi: 10.32897/infotronik.2018.3.1.83.

I. N. ’Abidah, M. A. Hamdani, dan Y. Amrozi, “Implementasi Sistem Basis Data Cloud Computing pada Sektor Pendidikan,” KELUWIH: Jurnal Sains dan Teknologi, vol. 1, no. 2, 2020, doi: 10.24123/saintek.v1i2.2868.

S. Nurul, S. Anggrainy, dan S. Aprelyani, “Faktor-Faktor Yang Mempengaruhi Keamanan Sistem Informasi : Keamanan Informasi , Teknologi Informasi Dan Network ( Literature Review Sim ),” Jurnal Ekonomi Manajemen Sistem Informasi (Jemsi), vol. 3, no. 5, 2022, doi: 10.31933/jemsi.v3i5.

I. I. Nugroho, R. Pratiwi, dan S. R. Az Zahro, “Optimalisasi Penanggulangan Kebocoran Data Melalui Regulatory Blockchain Guna Mewujudkan Keamanan Siber di Indonesia,” Ikatan Penulis Mahasiswa Hukum Indonesia Law Journal, vol. 1, no. 2, 2021, doi: 10.15294/ipmhi.v1i2.53698.

H. Haeruddin, G. Wijaya, dan H. Khatimah, “Sistem Keamanan Work From Anywhere Menggunakan VPN Generasi Lanjut,” JITU : Journal Informatic Technology And Communication, vol. 7, no. 2, hlm. 102–113, Nov 2023, doi: 10.36596/jitu.v7i2.1086.

D. D. Firmansyah Putri dan M. H. Fahrozi, “Upaya Pencegahan Kebocoran Data Konsumen Melalui Pengesahan Ruu Perlindungan Data Pribadi (Studi Kasus E-Commerce Bhinneka.Com),” Borneo Law Review, vol. 5, no. 1, 2021, doi: 10.35334/bolrev.v5i1.2014.

H. S. Disemadi, N. Z. Silviani, dan D. Jaya,, “Literasi Masyarakat Pesisir terhadap Perlindungan Data Pribadi dalam Transaksi Financial Technology,” Jurnal Abdimasa, vol. 5, no. 2, 2022.

Z. Hardiansyah, “1,3 Miliar Data SIM Card Diduga Bocor, Begini Respons 3 Opsel dan Kominfo,” Kompas Cyber Media. Diakses: 22 Desember 2023. [Daring]. Tersedia pada: https://tekno.kompas.com/read/2022/09/02/10200017/1-3-miliar-data-sim-card-diduga-bocor-begini-respons-3-opsel-dan-kominfo?page=all

N. P. Bestari, “Ulah Hacker Bjorka, 34 Juta Data Paspor Warga RI Dijual Murah,” CNBC Indonesia. Diakses: 22 Desember 2023. [Daring]. Tersedia pada: https://www.cnbcindonesia.com/tech/20230705163052-37-451615/ulah-hacker-bjorka-34-juta-data-paspor-warga-ri-dijual-murah

G. D. Prasasti, “Dugaan 337 Juta Data Dukcapil Kemendagri Bocor, Ini Penjelasan Pakar Keamanan Siber,” Liputan6. Diakses: 22 Desember 2023. [Daring]. Tersedia pada: https://www.liputan6.com/tekno/read/5346009/dugaan-337-juta-data-dukcapil-kemendagri-bocor-ini-penjelasan-pakar-keamanan-siber?page=2

“Deretan Kasus Kebocoran Data Pribadi di Indonesia Sepanjang 2022-2023,” METROTVNEWS.COM. Diakses: 3 Desember 2023. [Daring]. Tersedia pada: https://www.metrotvnews.com/play/NA0CXWqa-deretan-kasus-kebocoran-data-pribadi-di-indonesia-sepanjang-2022-2023

N. Nurhidayati, S. Sugiyah, dan K. Yuliantari, “Pengaturan Perlindungan Data Pribadi Dalam Penggunaan Aplikasi Pedulilindungi,” Widya Cipta: Jurnal Sekretari dan Manajemen, vol. 5, no. 1, 2021, doi: 10.31294/widyacipta.v5i1.9447.

G. Wijaya dan N. Surantha, “Multi-layered Security Design and Evaluation for Cloud-based Web Application: Case Study of Human Resource Management System,” Advances in Science, Technology and Engineering Systems Journal, vol. 5, no. 5, hlm. 674–679, 2020, doi: 10.25046/aj050583.

H. A. Noman dan O. M. F. Abu-Sharkh, “Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical Implementations,” Sensors, vol. 23, no. 13. 2023. doi: 10.3390/s23136067.

Mohd. Y. DM, Addermi, dan J. Lim, “Kejahatan Phising dalam Dunia Cyber Crime dan Sistem Hukum di Indonesia,” Jurnal Pendidikan dan Konseling, vol. 4, 2022, doi: https://doi.org/10.31004/jpdk.v4i5.7977.

S. E. Prasetyo, N. Hasanah, dan G. Wijaya, “Pengujian Keamanan Learning Management System TutorLMS Terhadap Kerentanan Insecure Design dan Broken Access Control,” Telcomatics, vol. 7, no. 2, 2022, doi: 10.37253/telcomatics.v7i2.7357.

R. A. Putra, I. A. Kautsar, H. Hindarto, dan S. Sumarno, “Detection and Prevention of Insecure Direct Object References (IDOR) in Website-Based Applications,” Procedia of Engineering and Life Science, vol. 4, 2023, doi: 10.21070/pels.v4i0.1435.

S. Singh dan M. Dandotiya, “An Efficient Approach for Mitigating Insecure Direct Object Reference (IDOR) Bug Bounty Method,” Int J Res Appl Sci Eng Technol, vol. 11, no. 6, 2023, doi: 10.22214/ijraset.2023.53953.

I. P. A. E. Pratama dan A. M. Rhusuli, “Penetration Testing on Web Application Using Insecure Direct Object References (IDOR) Method,” dalam 9th International Conference on ICT for Smart Society: Recover Together, Recover Stronger and Smarter Smartization, Governance and Collaboration, ICISS 2022 - Proceeding, 2022. doi: 10.1109/ICISS55894.2022.9915074.

M. Yunus, “Analisis Kerentanan Aplikasi Berbasis Web Menggunakan Kombinasi Security Tools Project Berdasarkan Framework OWASP Versi 4,” Jurnal Ilmiah Informatika Komputer, vol. 24, no. 1, 2019, doi: 10.35760/ik.2019.v24i1.1988.

E. Listartha, G. Arna, J. Saskara, D. Gede, dan S. Santyadiputra, “Pengujian Kerentanan Dan Penetrasi Keamanan Pada Aplikasi Web Manajemen Skripsi Prodi Xyz,” ScientiCO : Computer Science and Informatics Journal, vol. 4, no. 2, 2021.

D. Aryanti, Nurholis, dan J. Nashar Utamajaya, “Analisis Kerentanan Keamanan Website Menggunakan Metode Owasp (Open Web Application Security Project) Pada Dinas Tenaga Kerja,” Jurnal Syntax Fusion, vol. 1, no. 03, 2021, doi: 10.54543/fusion.v1i03.53.

I. P. A. E. Pratamadan dan A. M. Rhusuli, “Penetration Testing on Web Application Using Insecure Direct Object References (IDOR) Method” International Conference on ICT For Smart Society, 2022.

S. Yulianto, R. R. Abdullah dan B. Soewito, "Comprehensive Analysis and Remediation of Insecure Direct Object References (IDOR) Vulnerabilities in Android APIs," 2023 IEEE International Conference on Cryptography, Informatics, and Cybersecurity (ICoCICs), Bogor, Indonesia, 2023, pp. 23-28, doi: 10.1109/ICoCICs58778.2023.10276919.

Evaluasi Kerentanan Insecure Direct Object Reference pada Aplikasi Pendaftaran Sidang Universitas XYZ

Abstract

Downloads

References

Pernyataan Hak Cipta dan Lisensi

Jurnal ini telah diindeks oleh :