Implementasi Metode PTES dan NIST dalam Evaluasi Kerentanan Keamanan Website Resmi Pemerintah Kota Tarakan

The increasing use of digital services by the government has made public service websites a potential target for cyber attacks. This study aims to assess security vulnerabilities on the Tarakan City Government Official Website (portal.tarakankota.go.id) using two approaches, namely the Penetration Testing Execution Standard (PTES) and NIST SP 800-115. The testing process includes the steps of planning, information gathering, vulnerability analysis, exploitation, and reporting. The findings from this evaluation indicate several important vulnerabilities, such as the non-use of the HTTPS protocol and HSTS header, which makes data communication vulnerable to man-in-the-middle attacks, Host Header Injection vulnerabilities that allow for dangerous redirection, and Clickjacking due to the absence of the X-Frame-Options header. In addition, one SQL Injection vulnerability was found in the early stages, but could not be exploited because the input was well monitored. The PTES approach proved effective in the technical exploitation phase, while NIST SP 800-115 was effective in planning, documentation, and reporting. The combination of these two methods resulted in a more comprehensive assessment, covering technical and managerial elements, and offering security improvement recommendations, such as the implementation of SSL/TLS, security header settings, and strict validation of input parameters. This research emphasizes the importance of routine evaluation to strengthen cybersecurity in web-based public services.