<![CDATA[Cybersecurity assurance for public-facing government websites remains critical amid accelerating digital transformation. This study adopts an exploratory–evaluative research design to systematically examine and validate the security posture of the Surabaya Public Slaughterhouse (RPH Surabaya) website through an integrated application of OWASP Top 10 (2021) as a vulnerability taxonomy and NIST SP 800-115 as a procedural testing framework. The methodology follows structured planning, discovery, attack, and reporting phases. Discovery combined reconnaissance tools (Nslookup, Whois, Nmap, Dirsearch, Wappalyzer, and Google Dorking) with OWASP ZAP scanning, while attack validation employed Burp Suite, SQLMap, and browser-based developer analysis within a controlled Kali Linux environment. Thirteen potential vulnerabilities were detected, of which ten were empirically confirmed after manual verification. Confirmed weaknesses were predominantly categorized as Security Misconfiguration, including missing Anti-CSRF protections, directory browsing exposure, absent Content Security Policy and anti-clickjacking headers, outdated JavaScript libraries, insecure cookie attributes (missing HttpOnly and SameSite), lack of Strict-Transport-Security and X-Content-Type-Options headers, and user-controllable HTML attributes. The contribution lies in demonstrating a reproducible dual-framework validation pipeline that distinguishes scanner alerts from confirmed exploitability, thereby strengthening methodological rigor in public-sector web security assessment. These findings indicate systemic configuration-level risk exposure that may elevate susceptibility to XSS, CSRF, clickjacking, and injection-related threats relative to comparable public-institution websites. However, the assessment is limited to a single institutional website and an unauthenticated testing scope, constraining generalizability and deeper application-layer analysis.]]>
