<![CDATA[Government web portals that consolidate public services and process personally identifiable data are prime targets for cyber adversaries. However, many existing assessments rely on single-framework methodologies that provide limited adversarial context and insufficient prioritization guidance. This study evaluates the security posture of System X, a public-facing government portal in Indonesia, using a grey-box penetration testing approach that integrates OWASP Top 10:2021, CVSS v3.1, and MITRE ATT&CK. Automated scanning using OWASP ZAP and Nessus identified 12 potential vulnerabilities, which were subsequently validated through manual testing using Burp Suite, cURL, SQLmap, and browser developer tools. The validation process confirmed nine True Positives and three False Positives, resulting in a 25% false positive rate, consistent with prior studies on government web applications. The identified vulnerabilities fall within Broken Access Control, Security Misconfiguration, and Identification and Authentication Failures, with CVSS Base Scores ranging from 4.2 to 6.1. Unlike traditional severity-based assessments, the integration of MITRE ATT&CK enables adversarial behavior mapping and reveals dependency relationships between vulnerabilities. For example, a single Content Security Policy (CSP) misconfiguration was found to enable multiple attack techniques (T1059.007), demonstrating that addressing one root cause can mitigate several related vulnerabilities simultaneously. This integrated approach enhances vulnerability prioritization by providing both severity and attacker-context insights, offering more actionable remediation strategies compared to single-framework methods. The findings contribute to improving practical security assessment methodologies for government systems and support evidence-based cybersecurity decision-making.]]>
Copyrights © 2026
