Assessment of Vulnerabilities in Student Records Web-Based Systems for Public and Private Higher Learning Institutions in Tanzania

Abstract

In spite that HLIs in Tanzania use web-based systems for managing, storing and processing of HLIs information and data such as website contents, academic results and financial records. The HLIs web-based system have been compromised by attackers due to presence of vulnerabilities. The main objective of this study is to assess the vulnerabilities of Students Records Web-based Systems (SRWBS) for private and public Higher Learning Institutions (HLIs) in Tanzania using black-box testing methodology by employing two automatic vulnerability scanners namely OWASP ZAP (Open Webs Application Security Project Zed Attack Proxy; open-source tool) and Acunetix (proprietary tool). This study assesses the vulnerability of SRWBS for 3 private HLIs and 5 public HLIs in Tanzania. The results reveal the total of 29 vulnerabilities which include but are not limited to Broken Authentication and Session Management, Broken Access Control, Security Misconfiguration, Sensitive Data Exposure, Vulnerable JS (Java Script) Libraries, CSRF (Cros Site Request Forgery), Using Components with Known Vulnerabilities, XSS (Cross Site Script), DOM (Document Object Model) based XSS and Reflected XSS. SRWBS of public HLIs were found more vulnerable by average 44.2% than the SRWBS of private HLIs which were vulnerable by average of 37%. Based on these results, this study provides some recommendations for mitigating vulnerabilities and improving the security of SRWBS for private and public HLIs in Tanzania.