IT Support Website Security Evaluation Using Vulnerability Assessment Tools

Vulnerability Assessment is one of the crucial stages that must be carried out to define and identify vulnerabilities in web systems so that they can be repaired and reduced. The XYZ institution is new, so the Vulnerability Assessment is to minimize attacks from irresponsible parties. In this study, a Vulnerability Assessment of the IT Support website was carried out on XYZ institution using the Nessus tool. This study used the Vulnerability Assessment Penetration Testing (VAPT) Life Cycle method, which has six stages: scope, planning, scanning & vulnerability Analysis, exploitation, Privilege Escalation, and Generating Report. The results of this study obtained various vulnerabilities ranging from Low to Critical on the IT Support website at XYZ institution so that the IT Support party at XYZ institution to update PHP versions, JQuery and several other preventive steps reviewed in the discussion section.


INTRODUCTION
The rapid development of information technology has brought convenience to human life, one of which is websites [1]. This can be seen from the increasing number of website users for agency, educational, organizational, and personal purposes. The rapid growth of the web is due to several factors, including the development of infrastructure such as the internet, facilities for industrial workers to use the internet, and as an additional service to help them manage their business. Internet today is necessary in all aspects of their lives, for example, in a society that currently uses technology [2].
The development of websites in Indonesia has now developed very rapidly, which is due to the increase in internet service users from year to year. The website can also be easily accessed by many people who do not know where and when they are accessing it. With this kind of convenience, many organizations don't care whether the web server has met security standards and the system built is secure, or whether there is still interference [3]. Some websites that users frequent include search engines, e-commerce, social networks, forums, and news portals. However, despite the ease of service provided by these sites, it turns out that there are several security vulnerability issues, including cross-site scripting, information disclosure, authentication and authorization, session management, SQL injection, and CSRF [4]. The security of a website is one of the top priorities for an administrator or website user. Most users only focus on the design of the look and content that attracts as many visitors as possible. If a processor or user ignores the website's security, the user will be at a disadvantage because someone can retrieve essential data on the website or even spoil the appearance of the website [5], [15].
The increasing use of the web is a challenge for web developers to maintain security. This is because it does not rule out the possibility of hacking that can interfere [6]. A vulnerability in an IT system can be defined as a potential weakness of a system and, when exploited, can cause the system to come under attack [7]. These attacks have dangerous effects, such as theft and data leakage, the spreading of false information, system modifications, and system paralysis. To anticipate this, web developers need to conduct vulnerability assessments. The need for vulnerability assessment has been underestimated as it is only seen as a formal activity and is rarely carried out [9], [14]. Vulnerability assessment defines, identifies, classifies, and prioritizes vulnerabilities in web systems. Vulnerabilities in the network can be detected using specific tools or software. Vulnerability assessment methods can help detect vulnerabilities on the web. Developers and network administrators consider the assessment result to make preventive decisions and determine survivability when encountering an attack [8].

METHODS
The research method or phase used is the Vulnerability Assessment and Penetration Testing Lifecycle [1]. In the VAPT life cycle, as shown in Figure 1. The explanation for the research stage is as follows: 1. Scope The first step is to establish the scope of the object of study. This study takes the IT support website of XYZ Institution as the object of research.

Planning
The second stage is the planning phase, which is aimed at planning and collecting system information.

Scanning & Vulnerability Analysis
The third stage is to use Nessus to find vulnerabilities on the IT Support website.

Exploitation
The fourth stage is where exploits that can be exploited result from penetrating the target system.

Privilege Escalation
The fifth stage is a standard method for attackers to gain unauthorized access to the system within certain limits.

Final Reporting
The sixth stage is the final report stage which contains vulnerabilities on the IT Support website and their impacts and provides recommendations to fix vulnerabilities on the IT Support website.

Figure 2. Nessus
The tool used is Nessus. Nessus works by examining a set target, such as a set of hosts, or it could be a host in a particular focus. After completing the scan activity, it can view the resulting information in graphs or lines. The graphical interface for Nessus is built using the Gimp Toolkit (GTK). GTK is a free library widely used to build graphical interfaces under X. Computer security administrators choose Nessus because the distribution of these applications is always up to date (continually updated), the interface is web-based, easy to operate and free.[10]

Vulnerability Scanning
Vulnerability Scanning is carried out vulnerability scanning of IT Support websites at XYZ Institutions using the Nessus tool. The results of the vulnerability scan are shown in Figure 3.  Table 1. Web Server Enables Password Auto-Completion Add the 'autocomplete=off' attribute to this field to prevent the browser from storing credentials in the cache

Percentage Vulnerability Scanning
This percentage is obtained from the number of vulnerabilities found when conducting a vulnerability scan using Nessus, and this percentage is to make it easier to find the level of vulnerability on the IT support website XYZ so that the percentage of vulnerability scan can be used as material for website security assessment. The percentage of vulnerability is shown in Figure 4 [1].