<![CDATA[Rapid technological advancements have greatly benefited the industrial sector, making technology essential for business operations. However, this reliance also introduces vulnerabilities, particularly in Enterprise Resource Planning (ERP) systems, which are critical for managing business processes and sensitive data. Due to their complexity and integration, ERP systems are prime targets for cyberattacks, emphasizing the need for robust security testing. This research aims to identify, evaluate, and exploit vulnerabilities in the ERP website of PT. XYZ, specifically targeting pages accessible by users with the SPV Marketing role. The Penetration Testing Execution Standard (PTES) methodology was used to guide the process from intelligence gathering to exploitation and reporting. PTES also ensures that testing is conducted legally during the pre-engagement phase. Tools such as Google Dorking, Netcraft, Wappalyzer, and Nmap were employed for intelligence gathering. For threat modeling, ISO 27005 was employed to identify vulnerabilities, while ISO 25010 served as a standard for security quality. A ZAP scan revealed 23 security vulnerabilities, including 18 that fall under the OWASP Top 10, such as Broken Access Control and Injection. Simulated attacks successfully identified Cross-Site Scripting (XSS), Session Hijacking, and Cross-Site Request Forgery (CSRF). Based on the findings, the recommendations focus on enhancing ERP system security according to the OWASP Top 10 guidelines, ensuring clarity for the development team. This study highlights the need for improved ERP security and offers a structured PTES-OWASP framework applicable across sectors. Future research may integrate multiple tools to enhance vulnerability detection.]]>
