Human Resources Web Application Penetration Testing Using PTES and OWASP Top 10

Abstract

Web-based Human Resources (HR) applications store highly sensitive employee and organizational data, making them attractive targets for cyberattacks. This study presents a penetration testing assessment of a 
multi-tenant HR web application owned by PT. XYZ. The evaluation was conducted using a gray-box approach based on the Penetration Testing Execution Standard (PTES) and guided by the OWASP Top 10 (2021) framework. The testing process covered information gathering, threat modeling, vulnerability analysis, controlled exploitation, and post-exploitation analysis. The results reveal several critical and medium-risk vulnerabilities, including Broken Access Control in the form of Insecure Direct Object Reference (IDOR), security misconfigurations, outdated server components, and the absence of rate-limiting mechanisms in authentication features. These weaknesses could potentially lead to sensitive data leakage and account takeover attacks. 
This paper also provides concrete mitigation recommendations 
to strengthen access control, configuration hardening, and the 
overall security posture of the HR web application.