<![CDATA[This research examines the security parameters of Bimasoft CBT, a prominent computer-based testing platform utilized extensively in Indonesia, particularly during the execution of UNBK and amid the Covid-19 pandemic. Although CBT systems present distinct advantages in terms of efficiency relative to traditional paper-based assessments, they concurrently introduce significant security concerns. This issue is particularly pertinent considering research indicating that students exhibiting high self-efficacy tend to be more inclined towards dishonest practices, potentially capitalizing on system vulnerabilities. The investigation concentrates on the “offline self-simulation” iteration of Bimasoft CBT, which permits autonomous hosting capabilities. The assessment methodology incorporated strategic planning, a technical examination of the system, identification of vulnerabilities utilizing tools such as Chrome DevTools and Burp Suite, and risk evaluation employing the CVSS 4.0 framework. The inquiry revealed two medium-risk vulnerabilities (CVSS score: 6.9) that jeopardize confidentiality, permitting students to access examination questions prior to login and secure tokens without the oversight of a supervisor. To address these concerns, three principal solutions are recommended: the implementation of back-end token validation, the restriction of access to examination questions via the WordPress REST API prior to login, and the avoidance of CSS for concealing critical content. These findings underscore the necessity of fortifying security within CBT systems to ensure equitable assessment, uphold academic integrity, and assist developers and policymakers in the advancement of digital examination platforms.]]>
