Optimalisasi dalam Penetrasi Testing Keamanan Website Menggunakan Teknik SQL Injection dan XSS
DOI:
https://doi.org/10.37034/jsisfotek.v3i4.68Keywords:
Penetration Testing, XSS, Function Script, Filter Character, SQLIAbstract
SQLI (SQL Injection) and XSS are hacking techniques that are often used by hackers. This technique can find out the contents of the database by inserting a script on the website. This technique can be a threat if a website does not have security that can ward off such attacks. Hackers will look for loopholes using this technique in a login menu, searching, upload menu, input menu and URLs that have parameters ending in numbers, but not all websites that can be attacked use this technique if you don't limit the use of characters. This research was conducted to find out the gaps in a website that can be attacked with SQLI and XSS techniques and help optimize website security to avoid these attacks. Penetration testing will be carried out on a CV car rental website. Merdeka Auto Rental which is located in Padang City. This penetration testing uses SQLI and XSS techniques to find security holes in a website. The result of this test is that on the car rental website there are 12 gaps that are vulnerable to SQLI and XSS attacks, based on the results of these tests, a PHP script function is made that can remove all dangerous special characters. The script function is inserted in the PHP input, process and output files. The use of this script function does not apply to attacks other than SQLI and XSS so that if hackers use attack techniques other than that, this website is vulnerable to these attacks. After the script is inserted in the source code of the website, it can be concluded that the 12 known loopholes in the previous test without using the script function have changed status to not vuln or not vulnerable to SQLI and XSS attacks.
References
Kumar, S., Mahajan, R., Kumar, N., & Khatri, S. K. (2018). A study on web application security and detecting security vulnerabilities. 2017 6th International Conference on Reliability, Infocom Technologies and Optimization: Trends and Future Directions, ICRITO 2017, 2018-Janua, 451–455. https://doi.org/10.1109/ICRITO.2017.8342469.
Yulianingsih, Y. (2016). Menangkal Serangan SQL Injection Dengan Parameterized Query. Jurnal Edukasi Dan Penelitian Informatika (JEPIN), 2(1), 46–49. https://doi.org/10.26418/jp.v2i1.15507.
Zulkifli, & Samsir. (2020). Implementasi Sistem Keamanan SQL Injection Dalam berbasis web. U-NET Jurnal Teknik Informatika, 4(1), 8–13. https://doi:10.52332/u-net.v4i1.164.
Halfond, W. G. J., & Orso, A. (2017). Detection and Prevention of SQL Injection Attacks. Advances in Information Security, 27(8), 85–109. https://doi.org/10.1007/978-0-387-44599-1_5.
Bangkit Wiguna, Adi Prabowo, W., & Ananda, R. (2020). Implementasi Web Application Firewall Dalam Mencegah Serangan SQL Injection Pada Website. Digital Zone: Jurnal Teknologi Informasi Dan Komunikasi, 11(2), 245–256. https://doi.org/10.31849/digitalzone.v11i2.4867.
Sahren, Ashari Dalimuthe, R., & Amin, M. (2019). Prosiding Seminar Nasional Riset Information Science (SENARIS) Penetration Testing Untuk Deteksi Vulnerability Sistem Informasi Kampus. September, 994–1001. https://doi.org/http://dx.doi.org/10.30645/senaris.v1i0.109
Dwi Handoko Kusdikdoyo, T. W. (2019). Menerapkan Aspek Keamanan Database Pada Website E-CRM Toko Pelangi. 2, 419–430. https://doi.org/http://dx.doi.org/10.30700/.v2i1.871
Marashdih, A. W., & Zaaba, Z. F. (2017). Cross Site Scripting: Removing Approaches in Web Application. Procedia Computer Science, 124, 647–655. https://doi.org/10.1016/j.procs.2017.12.201
Nagpal, B., Chauhan, N., & Singh, N. (2017). SECSIX: security engine for CSRF, SQL injection and XSS attacks. International Journal of Systems Assurance Engineering and Management, 8, 631–644. https://doi.org/10.1007/s13198-016-0489-0
Dhivya, Praveen Kumar, Saravanan, P. (2018). Evaluation Of Web Security Mechanisms Using Vulnerability & Sql Attack Injection. 119(14), 989–996.
Setiawan, E. B., & Setiyadi, A. (2018). Web vulnerability analysis and implementation. IOP Conference Series: Materials Science and Engineering, 407(1). https://doi.org/10.1088/1757-899X/407/1/012081
Aliero, M. S., Ghani, I., Qureshi, K. N., & Rohani, M. F. (2020). An algorithm for detecting SQL injection vulnerability using black-box testing. Journal of Ambient Intelligence and Humanized Computing, 11(1), 249–266. https://doi.org/10.1007/s12652-019-01235-z
Gunawan, T. S., Lim, M. K., Kartiwi, M., Malik, N. A., & Ismail, N. (2018). Penetration testing using Kali linux: SQL injection, XSS, wordpres, and WPA2 attacks. Indonesian Journal of Electrical Engineering and Computer Science, 12(2), 729–737. https://doi.org/10.11591/ijeecs.v12.i2.pp729-737
I Gede, Gusti Madi & Sri Arsa. (2020). Evaluasi Keamanan Website Lembaga X Melalui Penetration Testing Menggunakan Framework ISSAF. Jurnal Ilmiah Merpati, 8(2), 113–124.
Liu, M., & Wang, B. (2018). A web second-order vulnerabilities detection method. IEEE Access, 6, 70983–70988. https://doi.org/10.1109/ACCESS.2018.2881070
Sitorus, S. P., & Habibi, R. A. (2020). Teknik Pencegahan Penetrasi SQL Injeksi Dengan Pengaturan Input Type Number dan Batasan Input Pada Form Login Website. U-NET Jurnal Teknik Informatika, 4(2), 26–33. https://doi:10.52332/u-net.v4i2.303
Gunadhi, E., & Nugraha, A. P. (2016). Penerapan Kriptografi Base64 Untuk Keamanan URL (Uniform Resource Locator) Website Dari Serangan SQL Injection. Jurnal Algoritma, 13(2), 391–398. https://doi:10.33364/algoritma/v.13-2.391
