Integrating OWASP and MOORA for Comprehensive Vulnerability Assessment and Prioritization in Educational Web Applications

  • Bisma Nanda Satria Universitas Ma Chung
  • Soetam Rizky Wicaksono Universitas Ma Chung
  • Rudy Setiawan Universitas Ma Chung
Keywords: Vulnerability Assessment, Web Application Security, OWASP, MOORA, Decision Support System

Abstract

Web applications in higher education institutions operating under the "ac.id" domain play a critical role in managing academic data and services but are highly susceptible to cybersecurity threats. This study aims to assess vulnerabilities in five selected university websites using the OWASP Top 10 framework and prioritize them with the MOORA decision-support system. The research employs a systematic methodology comprising reconnaissance, active scanning with tools like OWASP ZAP and Nessus, exploitation, and validation to identify vulnerabilities. MOORA is applied to rank vulnerabilities based on severity, frequency, impact on confidentiality, integrity, and availability (CIA), and ease of remediation. The findings reveal critical vulnerabilities, such as Remote Code Execution (RCE) and Sensitive Data Exposure, alongside medium risks like missing anti-CSRF tokens and insecure configurations. Website 1 ranked highest in vulnerability severity, demanding immediate remediation, while other websites exhibited medium to low vulnerabilities that still require attention. By integrating OWASP with MOORA, the study provides an objective, data-driven approach to cybersecurity prioritization. This research emphasizes the importance of adopting structured vulnerability management practices and serves as a foundation for future studies incorporating advanced tools and predictive models to enhance web application security in educational institutions.

References

[1] F. S. Pratiwi, “BSSN Catat 370,02 Juta Serangan Siber ke Indonesia pada 2022,” Https://Dataindonesia.Id/. p. 1, 2023, [Online]. Available: https://dataindonesia.id/internet/detail/bssn-catat-37002-juta-serangan-siber-ke-indonesia-pada-2022.
[2] I. Sulistyowati and R. V. H. Ginardi, “Information Security Risk Management with Octave Method and ISO/EIC 27001: 2013 (Case Study: Airlangga University),” IPTEK J. Proc. Ser., vol. 0, no. 1, pp. 32–38, 2019, doi: 10.12962/j23546026.y2019i1.5103.
[3] N. Nelmiawati, F. R. Destrianto, and M. A. R. Sitorus, “Manajemen Risiko Ancaman pada Aplikasi Website Sistem Informasi Akademik Politeknik Negeri Batam Menggunakan Metode OCTAVE,” J. Integr., vol. 9, no. 1, p. 35, 2018, doi: 10.30871/ji.v9i1.284.
[4] OWASP Foundation, “OWASP Risk Rating Methodology.” pp. 1–5, 2013, [Online]. Available: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology.
[5] INFOSECTRAIN, “OWASP Top 10 Vulnerabilities 2021 Revealed,” Infosectrain. 2021, [Online]. Available: https://www.infosectrain.com/blog/owasp-top-10-vulnerabilities-2021-revealed/.
[6] OWASP Foundation, “OWASP Vulnerability Management Guide (OVMG).” 2020, [Online]. Available: https://owasp.org/www-project-vulnerability-management-guide/OWASP-Vuln-Mgm-Guide-Jun01-2020.pdf.
[7] D. Stuttard and M. Pinto, The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd ed. Indianapolis, IN: Wiley, 2011.
[8] W. K. M. Brauers and E. K. Zavadskas, “The MOORA method and its application to privatization in a transition economy,” Control Cybern., vol. 35, no. 2, pp. 445–469, 2006.
[9] V. M. M. Siregar, M. R. Tampubolon, E. P. S. Parapat, E. I. Malau, and D. S. Hutagalung, “Decision support system for selection technique using MOORA method,” IOP Conf. Ser. Mater. Sci. Eng., vol. 1088, no. 1, p. 12022, doi: 10.1088/1757-899x/1088/1/012022.
[10] S. R. Wicaksono, “Implementation of Decision Support in Mutual Fund Investment Selection using MOORA,” TIERS Inf. Technol. J., vol. 4, no. 1, pp. 66–72, Jun. 2023, doi: 10.38043/tiers.v4i1.4369.
[11] A. T. Elliott, “Information technology security.” 2003, doi: 10.1097/01.mnm.0000104649.79626.19.
[12] OWASP Foundation, “Vulnerability Scanning Tools @ owasp.org.” 2020, [Online]. Available: https://owasp.org/www-community/Vulnerability_Scanning_Tools.
[13] O. Foundation, “Infrastructure as Code Security.” [Online]. Available: https://snyk.io/product/infrastructure-as-code-security/.
[14] OWASP Foundation, “Vulnerable Dependency Management - OWASP Cheat Sheet Series.” [Online]. Available: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html.
[15] P. B. Tarigan, “Web Security Testing Guide v4.1,” Journal of Chemical Information and Modeling, vol. 53, no. 9. pp. 1689–1699, 2013.
[16] N. Kavyashree, M. C. Supriya, and M. R. Lokesh, “Critical Success Factor Estimation for Software Security in Small and Medium Scale Industry Using AHP and TOPSIS Approach,” Proc. 3rd Int. Conf. Integr. Intell. Comput. Commun. Secur. (ICIIC 2021), vol. 4, no. Iciic, pp. 137–147, 2021, doi: 10.2991/ahis.k.210913.018.
[17] L. Crews, “Guide to OWASP Top 10 Vulnerabilities and Mitigation Methods.” 2023, [Online]. Available: https://www.eccouncil.org/cybersecurity-exchange/penetration-testing/owasp-top-10-vulunerabilities-mitigation/.
[18] D. Kennedy, J. O’Gorman, D. Kearns, and M. Aharoni, Metasploit: The Penetration Tester’s Guide, 1st ed. San Francisco, CA: No Starch Press, 2011.
[19] G. Weidman, Penetration Testing: A Hands-On Introduction to Hacking, 1st ed. San Francisco, CA: No Starch Press, 2014.
[20] D. M. A. Syed, H. Hasan, and M. S. Trigui, “Information Systems Threats and Vulnerabilities,” Int. J. Comput. Appl., vol. 89, no. 3, pp. 975–8887, 2014, Accessed: Dec. 11, 2017. [Online]. Available: https://pdfs.semanticscholar.org/b8c7/ad3a40db89e57ae42564d89a218aabcd0892.pdf?_ga=2.230836255.1825608194.1512836559-2054086968.1512836559.
Published
2025-01-30
How to Cite
Satria, B., Wicaksono, S., & Setiawan, R. (2025). Integrating OWASP and MOORA for Comprehensive Vulnerability Assessment and Prioritization in Educational Web Applications. Proceedings of the National Conference on Electrical Engineering, Informatics, Industrial Technology, and Creative Media, 4(1), 1154-1162. Retrieved from https://centive.ittelkom-pwt.ac.id/index.php/centive/article/view/395
Issue
Vol 4 No 1 (2024): Proceedings of the National Conference on Electrical Engineering, Informatics, Industrial Technology, and Creative Media (CENTIVE 2024)
Section
Informatics