ABSTRAK :
This research aims to analyze vulnerabilities and design mitigation strategies for the Open Journal Systems (OJS) platform used by the ITDA Journal (ejournals.itda.ac.id), based on the OWASP Application Security Verification Standard (ASVS). The research methodology consists of four main stages: information gathering to identify application components, configurations, and entry points; reconnaissance to map the attack surface such as endpoints, parameters, forms, and upload features; vulnerability detection through a combination of automated scanning and manual verification using the OWASP ASVS checklist; and targeted penetration testing to assess the validity and exploitability of identified vulnerabilities. The results reveal several potential security risks, including the use of outdated OJS versions and dependencies, weaknesses in input validation and sanitization that may lead to injection attacks (XSS and SQL Injection), flaws in authentication and session management mechanisms, and misconfigurations in server security and permission settings. Each finding is categorized by severity level and mapped to the OWASP Top 10 risk categories. The proposed mitigation strategies include upgrading OJS and its dependencies to the latest secure versions, enforcing strict server-side input validation, implementing multi-factor authentication for administrative accounts, reconfiguring access rights and performing server hardening, encrypting sensitive data both in transit and at rest, and adopting a Secure Software Development Lifecycle (SSDLC) that integrates OWASP ASVS verification at every development stage. Furthermore, the implementation of continuous security testing mechanisms is recommended to monitor and address newly emerging vulnerabilities on an ongoing basis. The application of these measures is expected to enhance the security level of OJS, reduce the risk of data breaches, defacement, and misuse of editorial functions in journal
management.
Keywords: Open Journal Systems, OWASP ASVS, Web application security, vulnerability assessment, penetration testing.
|