Article Per Year (5 Year)
p-Index From 2021 - 2026
0.23
P-Index
This Author published in this journals
All Journal bit-Tech
Belia Putri Salsabila
Universitas Pembangunan Nasional "Veteran" Jawa Timur
Computer Science & IT

Published : 1 Documents Claim Missing Document
Claim Missing Document
Check
Articles

Found 1 Documents
Search

 1 
Uncovering Hidden Security Risks in Government Web Portals Using Penetration Testing and Attack Modeling Belia Putri Salsabila; Henni Endah Wahanani; Achmad Junaidi
bit-Tech Vol. 8 No. 3 (2026): bit-Tech - IN PROGRESS
Publisher : Komunitas Dosen Indonesia

Show Abstract | Download Original | Original Source | Check in Google Scholar | DOI: 10.32877/bt.v8i3.3776

Abstract

Government web portals that consolidate public services and process personally identifiable data are prime targets for cyber adversaries. However, many existing assessments rely on single-framework methodologies that provide limited adversarial context and insufficient prioritization guidance. This study evaluates the security posture of System X, a public-facing government portal in Indonesia, using a grey-box penetration testing approach that integrates OWASP Top 10:2021, CVSS v3.1, and MITRE ATT&CK. Automated scanning using OWASP ZAP and Nessus identified 12 potential vulnerabilities, which were subsequently validated through manual testing using Burp Suite, cURL, SQLmap, and browser developer tools. The validation process confirmed nine True Positives and three False Positives, resulting in a 25% false positive rate, consistent with prior studies on government web applications. The identified vulnerabilities fall within Broken Access Control, Security Misconfiguration, and Identification and Authentication Failures, with CVSS Base Scores ranging from 4.2 to 6.1. Unlike traditional severity-based assessments, the integration of MITRE ATT&CK enables adversarial behavior mapping and reveals dependency relationships between vulnerabilities. For example, a single Content Security Policy (CSP) misconfiguration was found to enable multiple attack techniques (T1059.007), demonstrating that addressing one root cause can mitigate several related vulnerabilities simultaneously. This integrated approach enhances vulnerability prioritization by providing both severity and attacker-context insights, offering more actionable remediation strategies compared to single-framework methods. The findings contribute to improving practical security assessment methodologies for government systems and support evidence-based cybersecurity decision-making.
Co-Authors Achmad Junaidi Henni Endah Wahanani