SQL Injection: Analysis of Penetration Testing Effectiveness in Web Applications
##plugins.themes.bootstrap3.article.main##
Abstract
In the continuously evolving digital era, information system security becomes crucial, particularly against SQL Injection attacks that threaten data integrity. This research aims to evaluate the vulnerability to SQL Injection in web applications and assess the effectiveness of penetration testing methods as a security measure. Utilizing a literature review and previous studies, this research identifies various attack techniques and defense strategies used to protect data. Through systematic penetration testing on ten websites, this study produces performance data reflecting the success rate of attacks and the time required for penetration. The results show variations in the effectiveness of penetration testing tools, with some sites exhibiting significant vulnerabilities. To enhance the security of web applications, this research suggests updating programming languages, implementing OOP and MVC paradigms, using Rest APIs, implementing WAFs, and utilizing CAPTCHAs. These findings provide insights for developing more robust and adaptive security strategies in the face of cyber threats.
##plugins.themes.bootstrap3.article.details##
Section
Articles
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
The writer agreed that the article copyright by Smatika journal and the writer has the right to disseminate the paper published without permission in advance.
References
[1] H. Wakkang and B. Irianto, “IMPLEMENTASI WEB SERVICE DENGAN METODE REST API UNTUK INTEGRASI DATA COVID 19 DI SULAWESI SELATAN,” Jurnal Sintaks Logika (JSilog) Jurnal Penelitian Ilmiah Teknik Informatika, vol. 2, no. 1, pp. 12–22, 2022, doi: 10.31850/jsilog.v2i1.
[2] M. A. Z. Risky and Y. Yuhandri, “Optimalisasi dalam Penetrasi Testing Keamanan Website Menggunakan Teknik SQL Injection dan XSS,” Jurnal Sistim Informasi dan Teknologi, pp. 215–220, Aug. 2021, doi: 10.37034/jsisfotek.v3i4.68.
[3] Abdul Djalil Djayali, “Analisa Serangan SQL Injection pada Server pengisian Kartu Rencana Studi (KRS) Online,” JAMINFOKOM, vol. 1, 2020.
[4] P. Gio et al., “Analisis Perbandingan Tools SQL Injection Menggunakan SQLmap, SQLsus dan The Mole,” Informatik : Jurnal Ilmu Komputer, vol. 18, p. 2022, 2022.
[5] Invicti, “The Invicti AppSec Indicator Spring 2021 Edition: Acunetix Web Vulnerability Report,” Acunetix. Accessed: Dec. 29, 2023. [Online]. Available: https://www.acunetix.com/white-papers/acunetix-web-application-vulnerability-report-2021/
[6] A. Faidlatul Habibah, F. Shabira, and I. Irwansyah, “Pengaplikasian Teori Penetrasi Sosial pada Aplikasi Online Dating,” Jurnal Teknologi Dan Sistem Informasi Bisnis, vol. 3, no. 1, pp. 44–53, Jan. 2021, doi: 10.47233/jteksis.v3i1.183.
[7] S. U. Sunaringtyas, D. Surya Prayoga, J. K. Siber, P. Siber, and S. Negara, “Edu Komputika Journal Implementasi Penetration Testing Execution Standard Untuk Uji Penetrasi Pada Layanan Single Sign-On,” 2021. [Online]. Available: http://journal.unnes.ac.id/sju/index.php/edukom
[8] A. Alanda, D. Satria, M. Isthofa Ardhana, A. A. Dahlan, and A. Mooduto, “Web Application Penetration Testing Using SQL Injection Attack,” JOIV : International Journal on Informatics Visualization, vol. 5, no. 3, 2021, [Online]. Available: www.joiv.org/index.php/joiv
[9] M. Alenezi, M. Nadeem, and R. Asif, “SQL injection attacks countermeasures assessments,” Indonesian Journal of Electrical Engineering and Computer Science, vol. 21, no. 2, pp. 1121–1131, Feb. 2020, doi: 10.11591/ijeecs.v21.i2.pp1121-1131.
[10] A. B. Setyawan, I. A. Kautsar, and N. L. Azizah, “Query Response Time Comparison SQL and No SQL for Contact Tracing Application,” PELS, vol. 2, no. 2, 2022.
[11] M. Hasibuan and A. M. Elhanafi, “Penetration Testing Sistem Jaringan Komputer Menggunakan Kali Linux untuk Mengetahui Kerentanan Keamanan Server dengan Metode Black Box,” sudo Jurnal Teknik Informatika, vol. 1, no. 4, pp. 171–177, Dec. 2022, doi: 10.56211/sudo.v1i4.160.
[12] C. Budi Setiawan, D. Hariyadi, A. Sholeh, A. Wisnuaji, A. Yani Yogyakarta, and P. Widya Adijaya Nusantara, “Pengembangan Aplikasi Information Gathering Berbasis HybridApps,” Jurnal Informatika dan Teknologi Informasi (INTEK), vol. 5, 2022.
[13] A. Zirwan, “Pengujian dan Analisis Kemanan Website Menggunakan Acunetix Vulnerability Scanner,” Jurnal Informasi dan Teknologi, pp. 70–75, Mar. 2022, doi: 10.37034/jidt.v4i1.190.
[14] Y. A. Pohan, “Meningkatkan Keamanan Webserver Aplikasi Pelaporan Pajak Daerah Menggunakan Metode Penetration Testing Execution Standar,” Jurnal Sistim Informasi dan Teknologi, pp. 1–6, Mar. 2021, doi: 10.37034/jsisfotek.v3i1.36.
[15] J. Panjaitan and A. F. Pakpahan, “Perancangan Sistem E-Reporting Menggunakan ReactJS dan Firebase,” Jurnal Teknik Informatika dan Sistem Informasi, vol. 7, no. 1, Apr. 2021, doi: 10.28932/jutisi.v7i1.3098.
[16] Syamsiah Syamsiah, “Perancangan Flowchart dan Pseudocode Pembelajaran Mengenal Angka dengan Animasi untuk Anak PAUD Rambutan,” STRING (Satuan Tulisan Riset dan Inovasi Teknologi), vol. 4, no. 1, 2019.
[17] S. T. Argaw et al., “Cybersecurity of Hospitals: Discussing the challenges and working towards mitigating the risks,” BMC Medical Informatics and Decision Making, vol. 20, no. 1. BioMed Central Ltd, Jul. 03, 2020. doi: 10.1186/s12911-020-01161-7.
[18] Fuad Dwi Hanggara and R. D. E. Putra, “Analisis Sistem Antrian Pelanggan SPBU Dengan Pendekatan Simulasi Arena,” Jurnal INTECH Teknik Industri Universitas Serang Raya, vol. 6, no. 2, pp. 155–162, Dec. 2020, doi: 10.30656/intech.v6i2.2543.
[19] “PHP: PHP 8.3.0 Release Announcement,” PHP. Accessed: Apr. 21, 2024. [Online]. Available: https://www.php.net/releases/8.3/en.php
[20] D. P. Y. Ardiana and L. H. Loekito, “Gamification design to improve student motivation on learning object-oriented programming,” in Journal of Physics: Conference Series, Institute of Physics Publishing, Jun. 2020. doi: 10.1088/1742-6596/1516/1/012041.
[21] M. Fajar, F. Ciuandi, A. Munir, T. Informatika, and S. Kharisma Makassar, “Desain Aplikasi Daily Remainder Menggunakan Model-View Controller Dan Data Access Object Daily Remainder Application Design Using Model-View Controller and Data Access Object,” 2023.
[22] E. Bautista-Villegas, “Metodologías agiles XP y Scrum, empleadas para el desarrollo de páginas web, bajo MVC, con lenguaje PHP y framework Laravel,” Revista Amazonía Digital, vol. 1, no. 1, p. e168, Jan. 2022, doi: 10.55873/rad.v1i1.168.
[23] V. Punitha, C. Mala, and Narendran Rajagopalan, “A novel deep learning model for detection of denial of service attacks in HTTP traffic over internet,” International Journal of Ad Hoc and Ubiquitous Computing, vol. 33, no. 4, 2020.
[24] C.-O. Truică, E.-S. Apostol, J. Darmont, and T. B. Pedersen, “The Forgotten Document-Oriented Database Management Systems: An Overview and Benchmark of Native XML DODBMSes in Comparison with JSON DODBMSes,” Big Data Research, Feb. 2021, doi: 10.1016/j.bdr.2021.100205.
[25] Z. Qu, X. Ling, T. Wang, X. Chen, S. Ji, and C. Wu, “AdvSQLi: Generating Adversarial SQL Injections against Real-world WAF-as-a-service,” IEEE Transactions on Information Forensics and Security, Jan. 2024, doi: 10.1109/TIFS.2024.3350911.
[26] J. Hansen, T. Sutabri, U. Bina Darma Palembang, and H. Artikel, “Mendesain Cyber Security Untuk Mencegah Serangan DDoS Pada Website Menggunakan Metode Captcha,” Digital Transformation Technology (Digitech) | e, vol. 3, no. 1, 2023, doi: 10.47709/digitech.v3i1.2764.
[2] M. A. Z. Risky and Y. Yuhandri, “Optimalisasi dalam Penetrasi Testing Keamanan Website Menggunakan Teknik SQL Injection dan XSS,” Jurnal Sistim Informasi dan Teknologi, pp. 215–220, Aug. 2021, doi: 10.37034/jsisfotek.v3i4.68.
[3] Abdul Djalil Djayali, “Analisa Serangan SQL Injection pada Server pengisian Kartu Rencana Studi (KRS) Online,” JAMINFOKOM, vol. 1, 2020.
[4] P. Gio et al., “Analisis Perbandingan Tools SQL Injection Menggunakan SQLmap, SQLsus dan The Mole,” Informatik : Jurnal Ilmu Komputer, vol. 18, p. 2022, 2022.
[5] Invicti, “The Invicti AppSec Indicator Spring 2021 Edition: Acunetix Web Vulnerability Report,” Acunetix. Accessed: Dec. 29, 2023. [Online]. Available: https://www.acunetix.com/white-papers/acunetix-web-application-vulnerability-report-2021/
[6] A. Faidlatul Habibah, F. Shabira, and I. Irwansyah, “Pengaplikasian Teori Penetrasi Sosial pada Aplikasi Online Dating,” Jurnal Teknologi Dan Sistem Informasi Bisnis, vol. 3, no. 1, pp. 44–53, Jan. 2021, doi: 10.47233/jteksis.v3i1.183.
[7] S. U. Sunaringtyas, D. Surya Prayoga, J. K. Siber, P. Siber, and S. Negara, “Edu Komputika Journal Implementasi Penetration Testing Execution Standard Untuk Uji Penetrasi Pada Layanan Single Sign-On,” 2021. [Online]. Available: http://journal.unnes.ac.id/sju/index.php/edukom
[8] A. Alanda, D. Satria, M. Isthofa Ardhana, A. A. Dahlan, and A. Mooduto, “Web Application Penetration Testing Using SQL Injection Attack,” JOIV : International Journal on Informatics Visualization, vol. 5, no. 3, 2021, [Online]. Available: www.joiv.org/index.php/joiv
[9] M. Alenezi, M. Nadeem, and R. Asif, “SQL injection attacks countermeasures assessments,” Indonesian Journal of Electrical Engineering and Computer Science, vol. 21, no. 2, pp. 1121–1131, Feb. 2020, doi: 10.11591/ijeecs.v21.i2.pp1121-1131.
[10] A. B. Setyawan, I. A. Kautsar, and N. L. Azizah, “Query Response Time Comparison SQL and No SQL for Contact Tracing Application,” PELS, vol. 2, no. 2, 2022.
[11] M. Hasibuan and A. M. Elhanafi, “Penetration Testing Sistem Jaringan Komputer Menggunakan Kali Linux untuk Mengetahui Kerentanan Keamanan Server dengan Metode Black Box,” sudo Jurnal Teknik Informatika, vol. 1, no. 4, pp. 171–177, Dec. 2022, doi: 10.56211/sudo.v1i4.160.
[12] C. Budi Setiawan, D. Hariyadi, A. Sholeh, A. Wisnuaji, A. Yani Yogyakarta, and P. Widya Adijaya Nusantara, “Pengembangan Aplikasi Information Gathering Berbasis HybridApps,” Jurnal Informatika dan Teknologi Informasi (INTEK), vol. 5, 2022.
[13] A. Zirwan, “Pengujian dan Analisis Kemanan Website Menggunakan Acunetix Vulnerability Scanner,” Jurnal Informasi dan Teknologi, pp. 70–75, Mar. 2022, doi: 10.37034/jidt.v4i1.190.
[14] Y. A. Pohan, “Meningkatkan Keamanan Webserver Aplikasi Pelaporan Pajak Daerah Menggunakan Metode Penetration Testing Execution Standar,” Jurnal Sistim Informasi dan Teknologi, pp. 1–6, Mar. 2021, doi: 10.37034/jsisfotek.v3i1.36.
[15] J. Panjaitan and A. F. Pakpahan, “Perancangan Sistem E-Reporting Menggunakan ReactJS dan Firebase,” Jurnal Teknik Informatika dan Sistem Informasi, vol. 7, no. 1, Apr. 2021, doi: 10.28932/jutisi.v7i1.3098.
[16] Syamsiah Syamsiah, “Perancangan Flowchart dan Pseudocode Pembelajaran Mengenal Angka dengan Animasi untuk Anak PAUD Rambutan,” STRING (Satuan Tulisan Riset dan Inovasi Teknologi), vol. 4, no. 1, 2019.
[17] S. T. Argaw et al., “Cybersecurity of Hospitals: Discussing the challenges and working towards mitigating the risks,” BMC Medical Informatics and Decision Making, vol. 20, no. 1. BioMed Central Ltd, Jul. 03, 2020. doi: 10.1186/s12911-020-01161-7.
[18] Fuad Dwi Hanggara and R. D. E. Putra, “Analisis Sistem Antrian Pelanggan SPBU Dengan Pendekatan Simulasi Arena,” Jurnal INTECH Teknik Industri Universitas Serang Raya, vol. 6, no. 2, pp. 155–162, Dec. 2020, doi: 10.30656/intech.v6i2.2543.
[19] “PHP: PHP 8.3.0 Release Announcement,” PHP. Accessed: Apr. 21, 2024. [Online]. Available: https://www.php.net/releases/8.3/en.php
[20] D. P. Y. Ardiana and L. H. Loekito, “Gamification design to improve student motivation on learning object-oriented programming,” in Journal of Physics: Conference Series, Institute of Physics Publishing, Jun. 2020. doi: 10.1088/1742-6596/1516/1/012041.
[21] M. Fajar, F. Ciuandi, A. Munir, T. Informatika, and S. Kharisma Makassar, “Desain Aplikasi Daily Remainder Menggunakan Model-View Controller Dan Data Access Object Daily Remainder Application Design Using Model-View Controller and Data Access Object,” 2023.
[22] E. Bautista-Villegas, “Metodologías agiles XP y Scrum, empleadas para el desarrollo de páginas web, bajo MVC, con lenguaje PHP y framework Laravel,” Revista Amazonía Digital, vol. 1, no. 1, p. e168, Jan. 2022, doi: 10.55873/rad.v1i1.168.
[23] V. Punitha, C. Mala, and Narendran Rajagopalan, “A novel deep learning model for detection of denial of service attacks in HTTP traffic over internet,” International Journal of Ad Hoc and Ubiquitous Computing, vol. 33, no. 4, 2020.
[24] C.-O. Truică, E.-S. Apostol, J. Darmont, and T. B. Pedersen, “The Forgotten Document-Oriented Database Management Systems: An Overview and Benchmark of Native XML DODBMSes in Comparison with JSON DODBMSes,” Big Data Research, Feb. 2021, doi: 10.1016/j.bdr.2021.100205.
[25] Z. Qu, X. Ling, T. Wang, X. Chen, S. Ji, and C. Wu, “AdvSQLi: Generating Adversarial SQL Injections against Real-world WAF-as-a-service,” IEEE Transactions on Information Forensics and Security, Jan. 2024, doi: 10.1109/TIFS.2024.3350911.
[26] J. Hansen, T. Sutabri, U. Bina Darma Palembang, and H. Artikel, “Mendesain Cyber Security Untuk Mencegah Serangan DDoS Pada Website Menggunakan Metode Captcha,” Digital Transformation Technology (Digitech) | e, vol. 3, no. 1, 2023, doi: 10.47709/digitech.v3i1.2764.