OWASP Framework-Based Network Forensics to Analyze the SQLi Attacks on Web Servers

One of dangerous vulnerabilities that attack the web is SQLi. With this vulnerability, someone can obtain user data information, then change and delete that data. The solution to this attack problem is that the design website must improve security by paying attention to input validation and installing a ﬁrewall. This study’s objective is to use network forensic tools to examine the designlink website’s security against SQLi attacks, namely Whois, SSL Scan, Nmap, OWASP Zap


INTRODUCTION
Web applications are gaining popularity with a wealth of more complex features [1]. This technology's complexity is the result of increasing customer demand for more attractive online services [2,3]. Meanwhile, too-fast public release cycles make online security harder to scale [4,5]. The year 2021 was arguably the worst record in cybersecurity history. The COVID-19 pandemic seems to have helped trigger a cyber pandemic with many data leaks, identity theft, and malware attacks. The following types of attacks often occur: Crypto mining, social engineering, data leakage, hacking, Cross-Site Scripting (XSS), SQL injection, Clickjacking, DoS, Credential Reusu, Man in the middle, Insider Threat, and Phishing [6]. SQL injection attacks are hacking operations a client application performs by modifying SQL commands in the client application's memory. It is a web application that compromises the database used to store data [7]. Injection method attacks have recently increased, resulting in losses to businesses, governments, communities, and individual targets [8]. Cyberattacks are a major problem for governments, businesses, and scientific institutions [9]. The NCSI (National Cyber Security Index) conducts assessments based on many indicators, including state cybersecurity laws and regulations, availability of government agencies in cybersecurity, government cooperation in cybersecurity, and public evidence such as official government websites or other related initiatives. Not only in Indonesia, government data leaks in developed countries also often occur. Indonesia's cyber security level indexreached 38.96 points. Malaysia finished first with 79.22 points. Singapore came in second with 71.43 points, followed by Thailand with 69.94 points [10]. A comparison of cybersecurity indices in Southeast Asia in 2022 is shown in Figure 1.

Figure 1. Cybersecurity Index of Countries in Southeast Asia
The cybersecurity index is closely related to the field of network forensics in the process of identifying web security systems. Network forensics is a science that focuses on computer networks and devices connected to a network to find the source of an attack on a server network [11]. A web server is an entity or network software that provides information from a website to clients. In summary, the main function of a web server is as a place for web applications on a network that functions to provide information from a website to clients [12][13][14]. Almost all applications today use databases to store transferred information, so some people deliberately take advantage of the loophole to steal information [15]. One database storage system that can be used is SQL (Structured Query Language). SQL systems can be attacked using SQL injection, a method of inserting commands on a web server. SQL injection (Structured Query Language) is used to insert SQL commands as input on a website to gain access rights to the database [16]. If the database can be accessed, a hacker can easily steal confidential data and manipulate or damage website data [17]. One method used to test websites for security vulnerabilities can be using the OWASP framework.
OWASP framework is a structured, multi-step framework for grouping information for domain security plans, assessments, and test reports that are verified and analyzed [18]. The OWASP Framework is an open-source framework published by the OWASP community that lists the top 10 vulnerabilities that can compromise website security. This list continues to grow and change as technology develops [19,20]. Based on OWASP in 2004, there were ten types of attacks such as broken access control, security misconfiguration, insecure deserialization, injection, exposure of sensitive data, external XML entities, broken authentication, crosssite scripting, using components with known vulnerabilities, insufficient logging, and monitoring. Of the ten attacks, SQL injection was one of the easiest attacks to perform, accounting for about 44.11% after Local File Inclusion (LFI) compared to other attacks [21]. One of the tools used is SQL Map. These tools are open-source and can be installed on Kali Linux and Windows. This tool is used to detect and exploit injection vulnerabilities on the web. The application can take over database servers [22,23] step used in SQL injection is to enter standard commands in SQL, such as create, insert, update, drop, alter, union, and select, along with other commands [24].
Research [24] by title Vulnerability Analysis Website Renovaction Using a Suite of Security Tools Project Based on the Owasp Framework; the study aims to analyze website vulnerabilities to avoid cyber attacks, especially in the types of Cross Site Scripting &; SQL Injection attacks, by applying OWASP Top 10 2017 rules. References [25] by title research on Attack and Security Analysis on SQL Injection has the purpose of explaining how to deal with SQLi attacks and how these attacks exploit website vulnerabilities. Research by [26] titled SQL Injection Attack Analysis on Online Study Plan Card (KRS) Charging Server aims to simulate an injection attack on the Study Plan Card charging system to determine whether the system has an injection attack gap. Research [27] by title Security Analysis on Websites using the Information System Assessment Framework (ISSAF) and Open Web Application Security Version 4 (OWASPv4) using the Penetration Testing Method; the goal is to identify vulnerabilities in websites. The findings revealed several vulnerabilities, including lacking jquery updates on the ITTP website. A total of ten tests were conducted, with five using the ISSAF framework and five using OWASP version 4. Notably, during the ISSAF assessment, robots.txt files found on the S1 Informatics website, store important information and display exploitable sitemaps. Research [28] by title Website Vulnerability Testing and Analysis of Internet Management Information System Using OWASP approached gray box penetration testing for websites by utilizing the OWASP framework and OWASP ZAP tools to collect target information, perform automated scans with the help of OWASP ZAP, exploit scan results, generate reports, and offer recommendations. The results showed that the OWASP framework could be used to find high, medium, and low-level vulnerabilities in websites.
Previous studies have only mitigated injection attacks and have not tested injection attacks using SQL Map tools. In addition, the tools used have not covered all stages in the OWASP Framework. Therefore, this study used tools covering all stages of the OWASP Framework: Gathering Information using Whois tools, SSL Scan; Network Mapping using Nmap and OWASP Zap; Exploiting using SQL Map. This study aims to test the security of graphic designer websites from SQLi attacks using network forensic tools, namely Whois, SSL Scan, Nmap, OWASP Zap, and SQL Map based on the OWASP framework. The findings from this study are expected to be a valuable reference for institutions that utilize websites as information platforms in choosing the right web security tools.
This article is organized as follows: Section 1. Introduction, which includes distinctions from earlier research, part 2. Research Methods, which discusses the OWASP Framework to obtain the expected research results, part 3. Results and Analysis, which explains the research analysis results using the OWASP framework on a web server using the Whois, SSL Scan, Nmap, OWASP Zap, and SQL Map tools, section 4. The conclusion summarizes the study's findings and gives recommendations for future research.

RESEARCH METHOD
The OWASP Framework is used in this study to evaluate and test web server security in four stages: Data collection, Penetration Testing, Analysis, and Reporting. The OWASP framework is used to incorporate these four steps into testing. Figure 2 depicts the four processes that must be completed to achieve proper study results. During the data collection phase, information related to the selected topic is gathered, and a survey is conducted. Subsequently, penetration testing is performed on the website to evaluate its security. This testing involves a pentester simulating a real attack to identify vulnerabilities that could potentially compromise the application, system, or network's security features. An extensive analysis of the web server is conducted during this stage to pinpoint any weaknesses. Finally, a detailed report is prepared, describing the analysis results and findings obtained from the testing process. There are three stages in conducting testing using the OWASP framework, which can be seen in Figure 3.  Figure 3 is the testing stage in this study using OWASP Framework. Namely, in the first stage, information is gathered using Whois and SSL Scan; the second stage of mapping the network is to scan for vulnerabilities using Nmap and OWASP ZAP tools. After performing a complete vulnerability scan, proceed to the third stage, which is exploiting using SQL map tools.
A schematic diagram of the SQL injection test scenario on the web server using the SQL map tool is shown in Figure 4. In Figure 4, it can be explained that the schematic diagram is the attack scenario in this study. Attackers connected to an internet network attack the web server using SQL Map tools. SQL Map sends database requests from a web server with SQL commands. A web server not protected by a firewall will send requests to the attacker.
The OWASP framework testing process aims to evaluate the vulnerabilities on the web server after the completion and implementation stages are carried out. The tools used in the analysis using the OWASP framework are shown in Table 1

RESULT AND ANALYSIS
Based on the OWASP framework, several stages exist to determine and combine the vulnerability risk level on a web server. The stages include Data Collection, Penetration Testing, Analysis, and Reporting [29].

Data Collection
At this stage, the data collected to support the experiment in this study is data on the designlink.com.hk website. The OWASP framework is used to find vulnerabilities that exist on the web.

Penetration Testing
Penetration testing is a stage of testing on the web to find vulnerabilities, identify poor system configurations, hardware and software defects, and identify technical weaknesses in the information system being tested [30]. Penetration testing is useful for finding and addressing vulnerabilities in network infrastructure, showing how vulnerable it is to malicious attacks on the network. There are three stages carried out in penetration testing: gathering the information, mapping the network, and exploiting it. Gathering the information is the first step in identifying vulnerabilities. This includes searching for more in-depth information about the web server. At this stage, the desired information on the web server will be obtained using the whois and SSL Scan tools. The results using the whois tool are shown in Figure 5.  Figure 6 shows that SSL scanning tools found that the Web server does not use SSL security when hosting, so hackers can easily hack the Web server. Therefore, more attention should be paid to the support protocol by using the latest version. Mapping the network on a web server using the OWASP Framework with Nmap and OWASP Zap tools is scanning ports/hosts and looking for vulnerabilities on the web server. The results of the port scanning can be seen in Figure 7.  Figure 7, the results of testing using Nmap tools showed there are seven ports with open status, namely ports 21, 53, 80, 443, 2121, 3306, and 8083 with the TCP (Transmission Control Protocol) protocol, and three ports with closed status, namely 5432, 8000, and 1200. Figure 8 is the result of a scan using the OWASP Zap tool.  Figure 8 illustrates the scanning so that incoming data and information can be known how vulnerable or secure the web server is and all the associated risks and also to find vulnerabilities or threats embedded in the web server. The results can be seen in Figure  9. Figure 9. Vulnerability Results Using OWASP Zap Tools Figure 9 depicts the results of vulnerabilities on a web server with 14 vulnerabilities, five with a medium level, seven with a low level, and two with an informational level. This scanning has no high-level vulnerabilities, but many medium-level vulnerabilities must be fixed.
Exploiting testing of security vulnerabilities from data obtained previously can be used as material for further vulnerability testing using SQL Map tools. The results can be seen in Figure 10. Figure 10. URL Input Figure 10 shows SQL commands performed on a web server not protected against SQL injection vulnerabilities to obtain database information using the dbs command. The result of a database query can be seen in Figure 11. Figure 11. Result of -dbs Request Figure 11 shows the results of the dbs command finding two database names: accurate and information schema. The web does not have any security that causes attackers to get that information easily. Figure 12 is a command to display a list of tables.  Figure 12 shows the usage of SQL Map tools to bring up a list of tables to find table data on the web server, as seen in Table 2. The obtained results correspond to the requests made for the table data.  Table 2 displays the query results by running the -tables command and finding eight tables in the designlink jack database. Figure 13, on the other hand, shows the dnd adminlogin table command.

Figure 13. Command Table dnd adminlogin
In Figure 13, the command -T dnd adminlogin -dump is performed to display the contents of the columns in the dnd adminlogin table. The results can be seen in Table 3.  Table 3 illustrates the successful extraction of data and information from the web server utilizing the SQL Map tool's SQL command.

Analysis
The vulnerability results from testing the web server in the previous stage will be analyzed. The analysis will be carried out on the web server that is the target of this research. The analysis results using the OWASP Framework can be seen in Table 4 Table 4 shows a high level of vulnerability that has a score of 0% or no vulnerability; a medium level has a value of 33.3% (5) vulnerability, that is, Absence of Anti-CSRF Tokens, Application Error Disclosure, Content Security Polyce (CSP) Header Not Set, Missing Anti-clickjacking Header, Vulnerable JS Library; a low level has a value of 50% (7) vulnerability that is Cookie No HttpOnly flag, Cookie without SameSite Attribute, Cross-Domain JavaScript Source File Inclusion, Information Disclosure-Debug Error Messages, Server Leaks Information via X-Powered-By HTTP Response Header Fields, Timestamp Disclosure-Unix, X-Content-Type-Options Header Missing; and an information level has a value of 16.7% (2) vulnerability that is Charset Mismatch (Header Versus Meta Content-Type Charset), Information Disclosure-Suspicious. The website can still be regarded as safe based on the vulnerabilities discovered. The results of the security testing analysis based on the Top 10 OWASP of 2021 are shown in Table 5.

Reporting
At this stage, the step performed is summarizing the results of the analysis that has been carried out and creating a report on the results found on the web server. Table 6 presents a report on the research data acquired through implementing the OWASP Framework.  Table 5 provides information on how the OWASP Framework can be used to discover ownership data of a website domain and identify vulnerabilities associated with the website. A comparison of research results obtained in other studies using the OWASP framework can be seen in Table 7.  The results found the web server is at a moderate level, and using SQL Map, the web username and password were obtained.
Based on Table 8. it can be seen that the results of the researchers' research were compared with the research on Web Server Security Analysis with the OWASP Mantra Method [30],using Acunetix tools to get results reaching around 90%, authentication management, authorization, and session management were not implemented properly. Security analysis research to find out vulnerabilities in DVWA Lab Esting Using the OWASP Penetration Testing Standard [31], using DVWA tools, the test results show that there are unfiltered MySQL functions and queries, so in this case they are not suitable for use on websites because attackers can take switch servers and databases. Research on Analysis of Security Quality of Website-Based E-Office Information Systems on Rosma STMIK using OWASP Top 10 [18]. using the OWASP Zap tool was detected to have four vulnerabilities: sensitive data exposure, security configuration errors, cross-site scripting, and Insecure Drops. When compared with previous research, this research uses the same OWASP framework. The tools used in this research are Whois, SSL Scan, Nmap, OWASP Zap, and SQL Map. Results found using Whois retrieved the web identity, SSL Scan found the web in an Overall Rating state, Nmap found three ports with a closed status and seven ports with an open status, OWASP Zap found moderate web design vulnerabilities, with a total of 14 vulnerabilities, and SQL Map successfully retrieved web design username and password data. Whereas in previous studies only used one tool to test web servers without searching for information about the web and scanning network ports as was done in this study. The results of this study contribute to forensic network knowledge against SQLi attacks using the OWASP framework as well as for parties involved in website security.

CONCLUSION
Based on the results of the analysis on the website design using the OWASP framework in testing against SQLi attacks. The results of the Whois tool get a web identity, SSL Scan gets an Overall Rating value, Nmap finds three ports with closed status and seven ports with open status, OWASP Zap finds 14 vulnerabilities including; five at Intermediate level, seven at low level, and two at Information level, and the SQL Map tool successfully retrieved usernames and passwords on the web. This illustrates that the web server design does not have adequate security and validation against the vulnerabilities of various attacks, especially injection. attacks. From the results of using SQL Map tools for injection attacks to get results that are right on target, it shows that SQL Map can detect databases and important data on web servers only when the website is not protected, whereas when the website is protected, SQL Map will fail to exploit the website. This research is in accordance with the objectives of the researcher, so that the researcher can obtain the results as expected. Future research, the researcher suggests studying many SQLi techniques using various frameworks and tools to run web server penetration testing. Future research should reveal more SQL injection techniques using various frameworks and tools to execute web server penetration testing.

DECLARATIONS
AUTHOR CONTIBUTION This study was compiled by three authors divided into their respective tasks. Muhammad Amirul Mu'min compiles and designs work, collects, analyzes, and interprets data. Imam Riadi and Abdul Fadlil as supervisors for articles to be published.

FUNDING STATEMENT
This study received no specific financing from any funding agency in the public, commercial, or non-profit sectors.