Analysis of Cross Site Request Forgery (CSRF) Attacks on West Lampung Regency Websites Using OWASP ZAP Tools

— Technological developments in the field of increasingly advanced computers and networks have caused many organizations to use web applications to provide business services. With the increasing popularity of the internet, the number of cyber-attacks has also increased. To overcome these negative impacts, the role of network security is very necessary. The Cross Site Request Forgery (CSRF) method is a penetration technique aimed at exploiting website security vulnerabilities and there is one tool commonly used to find security vulnerabilities on websites, namely OWASP ZAP. The research has succeeded in proving security vulnerabilities on the website of the West Lampung district by conducting attack simulations. From the results of the experiment, it was found that there were 12 alerts with low risk on the website of West Lampung Regency. In 12 alerts there are 53 URL pages that are vulnerable to attack.


INTRODUCTION
The rapid growth in the development of computer network technology and the internet has caused many organizations to use web applications to provide business services [1]. The web can provide access to information from anywhere and at any time [2]. With the increasing popularity of the internet [3] [4], the number of cyber-attacks has also increased. Hackers, in addition to hacker behaviour, the negative impact of the threat of connecting computer networks to the internet include viruses, trojan horses, and so on. To overcome these negative impacts, the role of network security is very necessary. Network security will provide services and protection for computer networks connected to the internet, so that they can operate normally and exchange data safely and reliably [5]. CSRF is different from various other attacks which mostly use up the existing resources on the system, CSRF attacks are carried out to exercise direct control over the databases on the system [6].
The Cross Site Request Forgery (CSRF) method is a penetration technique aimed at exploiting website security vulnerabilities. CSRF is a technology to fake the identity of site users [7]. An example of the result of this CSRF technique is the ability to change the account parameters of the victim such as name, age, address, and password [8].
One of the tools commonly used to find security vulnerabilities on websites is OWASP ZAP. Where on the tool there is a "warning" in the tool that indicates a security vulnerability on the target website. There are 3 indicators of security vulnerability in the OWASP ZAP tool, namely, the red colour represents the 'high' security vulnerability indicator, orange represents the 'medium' security vulnerability indicator, and blue represents the 'low' security vulnerability indicator [9].
Research conducted by [10] To determine the level of risk in the main commodity price information system using the Open Web Application Security Project (OWASP) Risk Rating method to detect security vulnerabilities in websitebased applications. This study produces 2 factors to estimate Likelihood and Impact, from each factor there are 3 risks found, namely risk severity High, risk severity Medium and risk severity Low. The results of this risk assessment can help system managers and developers to be aware of the risks that may occur so that they can take action to prevent and overcome these risks. Another research conducted by [11], Based on the analysis that has been done, the SMP Negeri 3 Semarapura School Website has not implemented Rate limiting in the Login and Search sections of the Library feature. Without this limitation function, simulation of entering as many usernames and passwords as possible can be done until it is possible to find the right combination, generally this attack is known as a brute force attack. This attack is currently being overcome by applying a captcha after several incorrect combinations, or by temporarily blocking it. While the results from XXS show that the entered playload is not executed by the Website, which indicates that the Website is safe from XSS attacks. Then based on Analysis. Website vulnerabilities carried out using OWASP, the results obtained from the ZAP Report process indicate that the Website of SMP Negeri 3 Semarapura has a risk percentage or vulnerability level of Low and Medium. This is indicated by the web alerts found in the Medium, Low and Informational categories.
So, overall here the author tries to provide input to the West Lampung regency website to improve security on its website. The vulnerability was discovered due to a security flaw in the Lampung Barat district website, so researchers could easily crack the vulnerability without the slightest obstacle to enter the website.

II. RESEARCH METHODS
The main problems of information system security can be summarized into two things, namely: [2]: 1. Threats Threats come from three main issues, namely: 1. Natural disasters (tsunami, earthquake, fire, landslide, volcanic eruption) 2. Humans (sabotage, hackers, viruses and the environment) 3. pollution, chemical effect, power reduction. 2. CIA or commonly known as Confidentiality (confidentiality), Integrity (integrity) and Availability (availability) is one of the parameters that is often used when analysing security vulnerabilities, and has become a reference for website security [12]. This parameter is used as standard and reference for evaluating network security.
The author conducted a research design using the flow that can be seen in Figure 2. Looking for a website that will be security audited The website can be said as an information medium used for disseminating information on the internet because with the need for information, it is easier to get anywhere and anytime [4] [13]. At the initial stage, you must first look for websites that have weaknesses according to the method we use. After doing a website search, it was found that the selected website for the West Lampung district was used as a penetration testing experiment. This is because this website has several important assets related to the West Lampung government district. Government websites should have a good level of security compared to other websites. 2. Look for vulnerabilities or weaknesses (Vulnerability Scanning) Vulnerability is a security gap in the system that makes the system vulnerable to attack [14]. Some terms related to computer system security are threats, assets, mitigation, security gaps, mitigation, and risk. The more security holes that exist in the computer system, the higher the protection needed [15]. Techniques used to protect the system are called countermeasures [7]. There are several examples of tools that can be used for scanning, including The Harvester, Nmap, and Masscan [6]. In the second stage, the scanning stage is carried out to find security holes using OWASP ZAP tools. OWASP ZAP (Zed Attack Proxy) is an application used to perform penetration testing to find website vulnerabilities or security vulnerabilities. ZAP provides scanner automatically [

Analysis Results
In the last stage, after attacking the website of the Lampung Barat district using Cross-Site Request Forgery (CSRF), it was found that the results of the trial were expected to provide a solution for the CSRF method at this low level. Cross-Site Request Forgery or CSRF is one of the attacks carried out on websites based on input loopholes on the website. The security vulnerability occurs because there is a gap in the form on the website, so from here the attacker can make a request to the original form with the script that has been prepared [16]. Several approaches can be taken to overcome CSRF attacks, namely by using CSRF token [17]. At the time of submitting the form, the CSRF token will be inserted. When the request is made, then the backend will be checked to see if the CSRF sent is valid or not. CSRF token contains a random string that degenerates every form that appears on the website page. Every time a post request is made, the token will be placed as a header or it can also be a query string [18].

III. RESULT AND DISCUSSION
In this section, we will discuss the results of the observations and the results of the analysis carried out by the author.

A. Observation Result
The initial stage is a penetration experiment on the https://www.lampungbaratkab.go.id/ website using OWASP ZAP tools. The results of the image evidence the author scanned on the West Lampung regency website using the OWASP ZAP tools can be seen in Figure 3.   (2) The scan results in Figure 5 show that there are 12 alerts on the website from low-risk threats. Based on the 12 existing alerts, an experiment will be conducted focusing on low-risk alerts, namely using Cross Site Request Forgery (CSRF).  Figure 8 above is a collection of lines of HTML source code that aims to display the form. Then, next we input with certain keywords. Then, if you press the search button, it will automatically lead to line 21, namely <form action= https://www.lampungbaratkab.go.id/search method="post">. Finally, this source code is built with CSS and bootstrap. Fig. 9. Observation result (7) Figure 9 above is the output in the form of a display that has been made by the development team, which comes from the source code of Figure 8.  Figure 10 above is a display of the search feature that the author has made. Then, after that input with the keyword "Lampung" then press the search button. Then, the keyword value will be stored as input value which will be sent to https as the keyword you want to search for. Fig. 11. Observation result (9) Figure 11 above is the output display after we enter or input keywords and press the search button. Then it will go directly to the website page of the West Lampung Regency.

B. Observation Analysis
At this stage, an analysis of the observations that have been made previously will be carried out. The steps for it will be described as follows.  (1) After OWASP ZAP has detected every weakness on the website, then we can attack according to the weakness.
2. The Absence of Anti-CSRF Tokens section (53) at the URL https://www.lampungbaratkab.go.id/ has a weakness so that attackers can carry out attack techniques using the CSRF method, allowing attackers to enter a certain script on the URL to perform his attack. It can be seen in Figure 14.  (2) 3. In Figure 15, there is a collection of source code that explains how to input data in the form of a form, which later this source code in the form tag will be used as the basic material for carrying out CSRF attacks. Fig. 15. Source code for CSRF attacks 4. The source code below is a duplicate of the form on the official website which aims to manipulate or defraud data sent from outside the official website. This manipulation form will lead to https://www.lampungbaratkab.go.id/search with the "POST" method.  From the observations, it was found that there are about 53 URLs from the https://www.lampungbaratkab.go.id/ domain.

D. Mitigation Suggestions
Based on the results of observations and analysis of observations made in the previous stage, to overcome CSRF attacks it is necessary to carry out mitigation as shown in Table II

IV. CONCLUSIONS
Based on the results of observations and analysis of research that has been done, it can be concluded that: Security vulnerabilities in websites can be subject to various attack techniques. From the results of observations and analysis, it is found that there are 53 URL pages that are vulnerable to being attacked by CSRF. From the observations, it is found that the type of risk for attacks that occur on this website is low level.