Analisis Kerentanan Web Menggunakan ZAP oleh Checkmarx pada Situs Kuliah Daring LMS Universitas Kebangsaan Republik Indonesia
Penelitian
DOI:
https://doi.org/10.70292/pctif.v3i1.63Keywords:
Web Application Security, ZAP, OWASP, System Vulnerabilities, Online Learning, Security Analysis, CheckmarxAbstract
This study aims to conduct a security analysis on the online lecture site using the ZAP (Zed Attack Proxy) tool version 2.16.1, developed by OWASP and distributed by Checkmarx. The method used is black-box testing with an active scanning approach to identify security vulnerabilities that may exist in the application. The scanning process was carried out on all main pages and site resources, paying attention to various aspects such as HTTP headers, session management, JavaScript library usage, and other security configurations. The results of the scanning process showed 14 potential vulnerabilities classified into four risk levels: high (1 finding), medium (4 finding), low (6 finding), and informational (3 finding). The most significant findings were the use of a vulnerable (outdated) JavaScript library, the absence of a content security policy (CSP), and deficiencies in the implementation of important HTTP headers such as X-Frame-Options, Strict-Transport-Security, and X-Content-Type-Options. In addition, weaknesses in cookie attributes and the use of external JavaScript files without adequate source control were also found. Based on these results, a series of recommendations were developed that adhere to OWASP standards, including updating software libraries, reconfiguring security headers, strengthening session management, and implementing more secure cache policies.
