Vulnerability Assessment and Penetration Testing (VAPT) Framework: Case Study of Government’s Website

Ahmad Almaarif, Muharman Lubis


Information security often neglected by individual or employee or even by the enterprise, with there is no proper strategy to raise awareness, promote consistency and maintain performance regarding protect sensitive, confidential, and critical data. One of the common techniques used is a vulnerability assessment and penetration testing (VAPT) to assure the security strategy has been implemented into the computer system by analyzing both its strength and weakness. SQL plays an essential role in the Relation Database Management System (RDBMS) and its relationship to the existence of a website and its flexible operation because of its simplicity and integrity. To anticipate these types of threats or other Internet attacks, a goal-oriented penetration test that has a framework is recommended to identify specific types of vulnerabilities that lead to business concessions and to avoid the risks that adversely affect the enterprise Thus. This study conducts VAPT to uncover the possibility of threats and evaluate the potential impact to be reported to the system owner through a proper engagement framework that allows systematic measurement. Government websites have been identified for this purpose of the research to show the current trend that occurred in cyber communities, especially in Indonesia. This study has found various vulnerabilities lies in the directory listing, full path disclosure, PHP info disclosure, folder webserver disclosure, and other potential threats, which present 2 (two) critical, 6 (six) medium, and 2 (two) low level of risk.


vulnerability; threat; pen test; network security; assessment.

Full Text:



Symantec Corporation. 2017 Norton Cyber Security Insight Report Global Results. Retrieved at January 2019 from:

ITU-D. Global Cybersecurity Index (GCI) 2017. Retrieved at January 2019 from:

Statista. Consumer Loss Through Cyber Crime Worldwide in 2017, by Victim Country (in billion US dollars). Retrieved January 2019 from:

R. Kuncoro. Current State of Cybersecurity Readiness and Cybercrime Enforcement Capability in Indonesia. Cybercrime Capacity Building Conference, 27-28 April 2010. Indonesiaan National Police.

A.G. Bacudio, X. Yuan, B.T.B.Chu and M. Jones. An Overview of Penetration Testing. Int. Journal of Network Security & Its Applications 3(6), pp. 19-38, 2011.

K. Palanisamy. Network Penetration Testing. White Paper: Happiest People Happiest Customer, 2014.

T.S. Gunawan, M.K. Lim, M. Kartiwi, N.A. Malik and N. Ismail. Penetration Testing using Kali Linux: SQL Injection, XSS, Wordpress and WPA2 Attacks. Indonesian J. of Electrical Engineering and Com. Science, vol. 12(2), Nov., pp. 729-737, 2018.

PTES Team. The Penetration Testing Execution Standard Documentation: Release 1.1 (February 8th, 2017). Retrieved at January 2019 from:

KSM Consulting. Cybersecurity Guide: Vulnerability Assessments and Penetration Testing. Retrieved at January 2019 from:

S. Marsiske, A. Mishra, M. Saptarshi and P. Piolon. Penetration Test Report v.1.0. Open Tech Fund, 2018.

Cisco. Cisco Network Penetration Testing. Retrieved at January 2019 from:

R. Ackroyd, A. Mason and G. Watson. Social Engineering Penetration Testing. Syngress, April 2014.

F. Abu-Dabaseh and E. Alshammari. Automated Penetration Testing: An Overview. 4th Inter. Conference on Natural Languange Computing (NATL) 2018.

C. Weissman. Handbook for the Computer Security Certification of Trusted Systems. IATAC (Inf. Assurance Tech. Analysis Center), DTIC (Defense Technical Inf. Center), 1996.

S. Shah and B.M. Mehtre. An Overview of Vulnerability Assessment and Penetration Testing Techniques. Journal of Computer Virology and Hacking Techniques, vol. 11(1), pp. 27-49, 2015.

R. Baloch. Ethical Hacking and Penetration Testing Guide. CRC Press: Taylor & Francis Group, 2015.

M. Lubis, N.I. Yaacob, H. Reh and M. Ambag. Study on Implementation and Impact of Google Hacking in Internet Security. Proc. of Regional Con. on Knowledge Integration in ICT, 2010.

M. Lubis, M. Kartiwi and S. Zulhuda. Election Fraud and Privacy Related Issues: Addressing Electoral Integrity. Int. Con. on Informatics and Computing (ICIC), 2016.

AR Ahlan and M. Lubis. Information Security Awareness in University: Maintaining Learnability, Performance and Adapability through Roles of Responsibility. Information Assurance and Security (IAS), 2011.

AR Ahlan, M. Lubis and A.R. Lubis. Information Security Awareness at Knowledge-Based Institution: Its Antecedents and Measures. Procedia Computer Science 72, 361-373, 2015.

A.R. Lubis, F. Fachrizal, M. Lubis and H.M. Tahir. Wireless Service at Public University: A Survey of Users Perception on Security Aspects. Proc. of Int. Conf. on Inf. and Communications Technology (ICOIACT) 2018.

S.K. Lamichhane. Penetration Testing in Wireless Networks. Bachelor Thesis, Helsinki Metropolia University of Applied Sciences, 2016.

C.T. Phong. A Study of Penetration Testing Tools and Approaches. Master Thesis, Auckland University of Technology, 2014.

K. Leiviska. Introduction to Experiment Design. University of Oulu, Control Engineering Laboratory, 2013.

W.J. Diamond. Practical Experiment Design for Engineers and Scientiests. Lifetime Learning Publications, 1981.

M. Lubis, M. Kartiwi and S. Zulhuda. Current State of Personal Data Protection in Electronic Voting: Criteria and Indicator for Effective Implementation. Telkomnika, vol. 16(1), pp. 290-301, 2018.



  • There are currently no refbacks.

Published by INSIGHT - Indonesian Society for Knowledge and Human Development