Assessment of Vulnerabilities in Student Records Web-Based Systems of Public and Private Higher Learning Institutions in Tanzania

Abstract

Higher Learning Institutions (HLIs) increasingly use web-based systems to manage data, including website content, academic results, and financial records. These systems improve service delivery to stakeholders but expose HLIs to various vulnerabilities. Web-based systems at HLIs are frequently compromised due to such vulnerabilities. This study aimed to assess the vulnerabilities of Student Records Web Based Systems (SRWBS) in private and public HLIs in Tanzania using black-box testing. Two automatic vulnerability scanners were employed: OWASP Zed Attack Proxy (ZAP), an open-source tool, and Acunetix, a proprietary tool. The study assessed the vulnerabilities in the SRWBS of three private and five public HLIs in Tanzania. Findings revealed 28 vulnerabilities, including Broken Authentication, Session Management, Security Misconfiguration, Sensitive Data Exposure, Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS). Public HLIs had an average vulnerability rate of 44.2%, while private HLIs were vulnerable at 37%. This indicates that public HLIs are generally more at risk. Efforts to secure web-based systems should prioritize addressing the most common vulnerabilities identified in this study.