Analysis of Manual and Automated Methods Effectiveness in Website Penetration Testing for Identifying SQL Injection Vulnerabilities
DOI:
10.47709/cnahpc.v6i3.4249Keywords:
Input Validation, Penetration Testing, Prepared Statement, SQL Injection, Website SecurityDimension Badge Record
Abstract
This research aims to identify vulnerabilities to SQL Injection attacks on websites through penetration testing using quantitative and descriptive methods. In the current digital era, data and information security has become a crucial aspect. One of the frequent threats is SQL Injection attacks, where attackers insert malicious SQL commands into queries executed by web applications. This study utilizes tools such as Burp Suite to identify and exploit vulnerabilities in a login form created by the researchers. The research process begins with the Pre-Engagement Interactions phase, which includes information gathering and setting the testing scope. Subsequently, Vulnerability Testing is conducted to evaluate existing weaknesses. The exploitation of vulnerabilities is performed using the 'OR'1'='1 technique, which successfully demonstrates that the website is vulnerable to SQL Injection attacks. The results of this study indicate that the login form on the website is susceptible to SQL Injection due to insufficient input validation and the use of dynamic SQL queries without prepared statements. Implementing stricter input validation techniques and using prepared statements has proven effective in enhancing website security. This research makes a significant contribution to the field of information system security, particularly in the prevention of SQL Injection attacks. The results of this study can serve as a practical guide for web developers in improving the security of their applications and provide a deeper understanding of the threats and mitigation techniques for SQL Injection.
Downloads
Abstract viewed = 156 times
References
Alanda, A., Satria, D., Ardhana, M. I., Dahlan, A. A., & Mooduto, H. A. (2021). Web application penetration testing using SQL Injection attack. JOIV: International Journal on Informatics Visualization, 5(3), 320–326.
Anugrah, T. (2024). Penetration Testing Keamanan Website Stie Samarinda Menggunakan Teknik Sql Injection Dan Xss. Jurnal Informatika Dan Teknik Elektro Terapan, 12(1), 618–624. https://doi.org/10.23960/jitet.v12i1.3882
Chunlei, C., Liang, B., Kai, Y., & Kai, L. (2020). Application of Authentication and Secret-key Distribution Mechanism of Challenge-response in Micro-service Security Supervision and Authentication Interaction. Journal of Physics: Conference Series, 1693(1), 12004.
DeCusatis, C., Gormanly, B., Iacino, J., Percelay, R., Pingue, A., & Valdez, J. (2023). Cybersecurity Test Bed for Smart Contracts. Cryptography, 7(1), 15.
Fadlil, A., Riadi, I., & Mu’Min, M. A. (2024). Mitigation from SQL Injection Attacks on Web Server using Open Web Application Security Project Framework. International Journal of Engineering, Transactions A: Basics, 37(4), 635–645. https://doi.org/10.5829/ije.2024.37.04a.06
Ibrahim, A. Bin, & Kant, S. (2018). Penetration testing using SQL injection to recognize the vulnerable point on web pages. International Journal of Applied Engineering Research, 13(8), 5935–5942.
Jahanshahi, R., Doupé, A., & Egele, M. (2020). You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications. Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020, 445–457. https://doi.org/10.1145/3320269.3384760
Kambre, O. K., Shah, K. K., & Rathod, P. D. (2023). SQL Injection Attacks and Defense Mechanisms. International Research Journal of Innovations in Engineering and Technology, 7(2), 101.
Kareem, F. Q., Ameen, S. Y., Salih, A. A., Ahmed, D. M., Kak, S. F., Yasin, H. M., Ibrahim, I. M., Ahmed, A. M., Rashid, Z. N., & Omar, N. (2021). SQL injection attacks prevention system technology. Asian Journal of Research in Computer Science, 6(15), 13–32.
Liu, M., Li, K., & Chen, T. (2020). DeepSQLi: Deep semantic learning for testing SQL injection. Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, 286–297.
Nagasundari, S., & Honnavali, P. B. (2019). SQL injection attack detection using ResNet. 2019 10th International Conference on Computing, Communication and Networking Technologies (ICCCNT), 1–7.
Natanael, N. (2023). WEB PENETRATION TESTING DALAM MENCARI KERENTANAN SQL INJECTION. JATI (Jurnal Mahasiswa Teknik Informatika), 7(6), 3135–3138.
Parveen, M., & Shaik, M. A. (2023). Review on Penetration Testing Techniques in Cyber security. 2023 Second International Conference on Augmented Intelligence and Sustainable Systems (ICAISS), 1265–1270.
Ravindran, U., & Potukuchi, R. V. (2022). A Review on Web Application Vulnerability Assessment and Penetration Testing. Review of Computer Engineering Studies, 9(1).
Sahren, S., Dalimuthe, R. A., & Amin, M. (2019). Penetration Testing Untuk Deteksi Vulnerability Sistem Informasi Kampus. Prosiding Seminar Nasional Riset Information Science (SENARIS), 1(September), 994. https://doi.org/10.30645/senaris.v1i0.109
Simos, D. E., Zivanovic, J., & Leithner, M. (2019). Automated combinatorial testing for detecting SQL vulnerabilities in web applications. Proceedings - 2019 IEEE/ACM 14th International Workshop on Automation of Software Test, AST 2019, 55–61. https://doi.org/10.1109/AST.2019.00014
Singh, N., Meherhomji, V., & Chandavarkar, B. R. (2020). Automated versus Manual Approach of Web Application Penetration Testing. 2020 11th International Conference on Computing, Communication and Networking Technologies, ICCCNT 2020. https://doi.org/10.1109/ICCCNT49239.2020.9225385
Zulu, J., Han, B., Alsmadi, I., & Liang, G. (2024). Enhancing Machine Learning Based SQL Injection Detection Using Contextualized Word Embedding. Proceedings of the 2024 ACM Southeast Conference, 211–216.
Downloads
ARTICLE Published HISTORY
How to Cite
Issue
Section
License
Copyright (c) 2024 Abdul Aziz Anaoval, Ahmad Turmudi Zy, Suherman S
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.