The Implementation of Pentesting on EasyCart to Address Cybersecurity Threats

Authors

  • Mochamad Fahrul Reza Universitas Esa Unggul
  • Imam Sutanto Universitas Esa Unggul
https://doi.org/10.58466/aicoms.v4i2.1937

Keywords:

Pentesting, OWASP Top 10, PTES, ISO/IEC 27001, EasyCart, Web Security

Abstract

Information security in e-commerce applications is a crucial aspect in maintaining the integrity, confidentiality, and availability of user data. The method used is penetration testing with a black-box and grey-box approach, referring to the Penetration Testing Execution Standard (PTES) and the OWASP Top 10 framework for 2021. The testing was conducted through the seven PTES phases: Pre-engagement Interactions, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post-Exploitation, and Reporting. The testing environment was run locally using tools such as Burp Suite, OWASP ZAP, Nikto, SQLMap, and Nmap. The testing results identified 20 vulnerabilities with high, medium, and low risk levels, including Cross-Site Scripting (XSS), SQL Injection, Broken Access Control, and Security Misconfiguration. Mitigation recommendations are based on ISO/IEC 27001:2022 controls, specifically Annex A.5 (information security policy), A.8 (asset management), and A.12 (operational security). This research contributes to the understanding and application of standards-based security testing in simulation applications, while emphasizing the importance of input validation, secure system configuration, and regular updates as mitigation measures against cyber threats.

References

checkpoint-team, “17th January– Threat Intelligence Report,” Check Point Research. Accessed: Jul. 28, 2025. [Online]. Available: https://research.checkpoint.com/2022/17th-january-threat-intelligence-report/

OWASP Foundation., “OWASP Top 10 - 2021: The Ten Most Critical Web Application Security Risks.”

ISO, “International Standard 27001 Information security, cybersecurity and privacy protection-Information security management systems-Requirements,” vol. 2022, pp. iii–5, 2022.

A. Bloomenthal, “E-commerce Defined: Types, History, and Examples,” Investopedia. Accessed: Feb. 28, 2025. [Online]. Available: https://www.investopedia.com/terms/e/ecommerce.asp

matteo mauidi and andrew Muller, “Owasp Web Security Testing Guide,” pp. 1–179, 2014.

PTES, “High Level Organization of the Standard,” PTES, Penetration Testing Execution Standard. Accessed: Feb. 28, 2025. [Online]. Available: http://www.pentest-standard.org/index.php/Main_Page

Mark Sharron, “ISO 27001 – Annex A Controls,” isms.online. Accessed: Jul. 18, 2025. [Online]. Available: https://www.isms.online/iso-27001/annex-a-controls/

Sam Peters, “The Ultimate Guide to ISO 27001,” isms.online. Accessed: Aug. 05, 2025. [Online]. Available: https://www.isms.online/iso-27001/

J. Ha et al., “Improved error reporting for software that uses black-box components,” Proc. ACM SIGPLAN Conf. Program. Lang. Des. Implement., pp. 101–111, 2007, doi: 10.1145/1250734.1250747.

S. Gupta and B. B. Gupta, “Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art,” Int. J. Syst. Assur. Eng. Manag., vol. 8, pp. 512–530, 2017, doi: 10.1007/s13198-015-0376-0.

V. Babaey and A. Ravindran, “GenXSS: An AI-Driven Framework for Automated Detection of XSS Attacks in WAFs,” Conf. Proc. - IEEE SOUTHEASTCON, pp. 1519–1524, 2025, doi: 10.1109/SoutheastCon56624.2025.10971558.

K. Sugata, T. Ogawa, and M. Haseyama, “Emotion estimation via tensor-based supervised decision-level fusion from multiple Brodmann areas,” ICASSP, IEEE Int. Conf. Acoust. Speech Signal Process. - Proc., pp. 999–1003, 2017, doi: 10.1109/ICASSP.2017.7952306.

S. Agrawal, “Mitigating Cross-Site Request Forgery (CSRF) Attacks Using Reinforcement Learning and Predictive Analytics,” Appl. Res. Artif. Intell. Cloud Comput., vol. 6, no. 9, pp. 17–30, 2023.

Darmanto, D., Muhammad, A. R., & Rustiarni, R. (2024). Analisis tingkat kesiapan keamanan informasi menggunakan indeks kami 4.2 pada Politeknik Negeri Ketapang. Informasi Interaktif: Jurnal Informatika dan Teknologi Informasi, 9(1), 1-9.

Downloads

Published

2025-11-13

How to Cite

Fahrul Reza, M. ., & Sutanto, I. (2025). The Implementation of Pentesting on EasyCart to Address Cybersecurity Threats. Applied Information Technology and Computer Science (AICOMS), 4(2), 37-45. https://doi.org/10.58466/aicoms.v4i2.1937

Issue

Vol. 4 No. 2 (2025)

Section

Artikel

License

Copyright (c) 2025 Mochamad Fahrul Reza, IMAM SUTANTO, S.Kom, M.Kom

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.