Security Analysis of Indonesian Region Government Web Applications Based on NIST SP 800-115 and WSTG v4.2

Authors

  • Arizal National Cyber and Crypto Polytechnic, Indonesia
  • Muhammad Hilal National Cyber and Crypto Polytechnic, Indonesia
  • Dimas Febriyan Priambodo National Cyber and Crypto Polytechnic, Indonesia
Pages Icon

DOI:

https://doi.org/10.63158/journalisi.v8i2.1558

Keywords:

Hybrid Pentesting, Penetration Testing, Vulnerability Assessment, Vulnerability Scoring, Web Aplication Security

Abstract

The rapid adoption of e-government systems has increased the exposure of government web applications to cybersecurity threats with the lack of security-focused implementation. Previous studies on web application security assessment commonly using automated vulnerability scanners or validated with another tools, which may produce false positives and fail to provide comprehensive insights. This research addresses this limitation by conducting a structured and multi-target security assessment of regional government web applications. The assessment integrates a systematic penetration testing process with comprehensive web application security testing guidelines. Automated scanning using OWASP ZAP and Arachni was combined with manual validation to ensure the accuracy of findings. The results identified nine validated vulnerabilities in the government portal and public service applications, and ten vulnerabilities in the legal documentation system. A significant portion of initial findings were confirmed as false positives after manual verification, highlighting the limitations of automated tools. The most common vulnerabilities were related to security misconfigurations, including missing security headers, outdated JavaScript libraries, and insecure cookie settings that highlight on weak in configuration hygiene and dependency management in this regional goverment. This study also demonstrates that combining structured penetration testing with detailed validation provides a more accurate and reliable assessment of government web application security.

Downloads

Download data is not yet available.

References

[1] Presiden Republik Indonesia, Instruksi Presiden Republik Indonesia Nomor 3 Tahun 2003 tentang Kebijakan dan Strategi Nasional Pengembangan E-Government. Jakarta, Indonesia: Sekretariat Kabinet Republik Indonesia, Jun. 9, 2003.

[2] Direktorat Operasi Keamanan Siber, Badan Siber dan Sandi Negara, Lanskap Keamanan Siber Indonesia 2022. Jakarta, Indonesia: Badan Siber dan Sandi Negara, 2022.

[3] Badan Siber dan Sandi Negara, Peraturan Badan Siber dan Sandi Negara Nomor 4 Tahun 2021 tentang Pedoman Manajemen Keamanan Informasi Sistem Pemerintahan Berbasis Elektronik dan Standar Teknis dan Prosedur Keamanan Sistem Pemerintahan Berbasis Elektronik. Jakarta, Indonesia, May 19, 2021.

[4] E. Z. Darojat, E. Sediyono, and I. Sembiring, “Vulnerability assessment website e-government dengan NIST SP 800-115 dan OWASP menggunakan web vulnerability scanner,” Jurnal Sistem Informasi Bisnis, vol. 12, no. 1, pp. 36–44, Sep. 2022, doi: 10.21456/vol12iss1pp36-44.

[5] W. Wardana, A. Almaarif, and A. Widjajarto, “Vulnerability assessment and penetration testing on the XYZ website using NIST 800-115 standard,” Syntax Literate: Jurnal Ilmiah Indonesia, vol. 7, Special Issue no. 1, Jan. 2022, doi: 10.36418/syntax-literate.v7i1.5800.

[6] R. Amankwah, J. Chen, P. K. Kudjo, and D. Towey, “An empirical comparison of commercial and open-source web vulnerability scanners,” Software: Practice and Experience, vol. 50, no. 9, pp. 1842–1857, Sep. 2020, doi: 10.1002/spe.2870.

[7] L. Cui, J. Cui, Z. Hao, L. Li, Z. Ding, and Y. Liu, “An empirical study of vulnerability discovery methods over the past ten years,” Computers & Security, vol. 120, Art. no. 102817, 2022, doi: 10.1016/j.cose.2022.102817.

[8] K. Abdulghaffar, N. Elmrabit, and M. Yousefi, “Enhancing web application security through automated penetration testing with multiple vulnerability scanners,” Computers, vol. 12, no. 11, Art. no. 235, 2023, doi: 10.3390/computers12110235.

[9] E. A. Altulaihan, A. Alismail, and M. Frikha, “A survey on web application penetration testing,” Electronics, vol. 12, no. 5, Art. no. 1229, Mar. 2023, doi: 10.3390/electronics12051229.

[10] S. Qadir, E. Waheed, A. Khanum, and S. Jehan, “Comparative evaluation of approaches & tools for effective security testing of web applications,” PeerJ Computer Science, vol. 11, Art. no. e2821, 2025, doi: 10.7717/peerj-cs.2821.

[11] K. U. Sarker, F. Yunus, and A. Deraman, “Penetration taxonomy: A systematic review on the penetration process, framework, standards, tools, and scoring methods,” Sustainability, vol. 15, no. 13, Art. no. 10471, Jul. 2023, doi: 10.3390/su151310471.

[12] M. Alhamed and M. M. H. Rahman, “A systematic literature review on penetration testing in networks: Future research directions,” Applied Sciences, vol. 13, no. 12, Art. no. 6986, Jun. 2023, doi: 10.3390/app13126986.

[13] D. F. Priambodo, A. D. Rifansyah, and M. Hasbi, “Penetration testing web XYZ berdasarkan OWASP risk rating,” Teknika, vol. 12, no. 1, pp. 33–46, Feb. 2023, doi: 10.34148/teknika.v12i1.571.

[14] NIST, “Security assessment,” Computer Security Resource Center, National Institute of Standards and Technology. [Online]. Available: https://csrc.nist.gov/glossary/term/security_assessment. [Accessed: Jan. 15, 2026].

[15] F. Hilario, D. Chang, C. Zafra, Y. Vasquez, and L. Chipana, “Application of the OWASP framework to identify and remediate vulnerabilities in Java web applications,” Journal of System and Management Sciences, vol. 14, no. 7, pp. 406–425, 2024, doi: 10.33168/JSMS.2024.0722.

[16] M. Kluban, M. Mannan, and A. M. Youssef, “On detecting and measuring exploitable JavaScript functions in real-world applications,” ACM Transactions on Privacy and Security, vol. 27, no. 1, pp. 1–37, 2023, doi: 10.1145/3630253.

[17] Z. Kang, S. Li, and Y. Cao, “Probe the Proto: Measuring client-side prototype pollution vulnerabilities of one million real-world websites,” in Proc. Network and Distributed System Security Symp. (NDSS), 2022, doi: 10.14722/ndss.2022.24308.

[18] M. Shcherbakov, M. Balliu, and C.-A. Staicu, “Silent Spring: Prototype pollution leads to remote code execution in Node.js,” arXiv preprint arXiv:2207.11171, 2022, doi: 10.48550/arXiv.2207.11171.

[19] J. C. Davis, C. A. Coghlan, F. Servant, and D. Lee, “The impact of regular expression denial of service (ReDoS) in practice: An empirical study at the ecosystem scale,” in Proc. 26th ACM Joint Meeting on European Software Engineering Conf. and Symp. on the Foundations of Software Engineering (ESEC/FSE), 2018, pp. 246–256, doi: 10.1145/3236024.3236027.

[20] M. Bhuiyan, B. Çakar, E. H. Burmane, J. C. Davis, and C.-A. Staicu, “SoK: A literature and engineering review of regular expression denial of service (ReDoS),” in Proc. ACM Asia Conf. on Computer and Communications Security (ASIA CCS), 2024, pp. 1659–1675, doi: 10.1145/3708821.3733912.

Downloads

Published

2026-04-12

Issue

Vol. 8 No. 2 (2026): April

Section

Articles

License

Copyright (c) 2026 Journal of Information Systems and Informatics

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors Declaration

  1. The Authors certify that they have read, understood, and agreed to the Journal of Information Systems and Informatics (JournalISI) submission guidelines, policies, and submission declaration. The submission has been prepared using the provided template.
  2. The Authors certify that all authors have approved the publication of this manuscript and that there is no conflict of interest.
  3. The Authors confirm that the manuscript is their original work, has not received prior publication, is not under consideration for publication elsewhere, and has not been previously published.
  4. The Authors confirm that all authors listed on the title page have contributed significantly to the work, have read the manuscript, attest to the validity and legitimacy of the data and its interpretation, and agree to its submission.
  5. The Authors confirm that the manuscript is not copied from or plagiarized from any other published work.
  6. The Authors declare that the manuscript will not be submitted for publication in any other journal or magazine until a decision is made by the journal editors.
  7. If the manuscript is finally accepted for publication, the Authors confirm that they will either proceed with publication immediately or withdraw the manuscript in accordance with the journal’s withdrawal policies.
  8. The Authors agree that, upon publication of the manuscript in this journal, they transfer copyright or assign exclusive rights to the publisher, including commercial rights

How to Cite

[1]
Arizal, M. Hilal, and D. F. Priambodo, “Security Analysis of Indonesian Region Government Web Applications Based on NIST SP 800-115 and WSTG v4.2”, journalisi, vol. 8, no. 2, pp. 1776–1799, Apr. 2026, doi: 10.63158/journalisi.v8i2.1558.