OWASP Framework-based Network Forensics to Analyze the SQLi Attacks on Web Servers

  • Imam Riadi Universitas Ahmad Dahlan, Yogyakarta, Indonesia
  • Abdul Fadlil Universitas Ahmad Dahlan, Yogyakarta, Indonesia
  • Muhammad Amirul Mu'min Universitas Ahmad Dahlan, Yogyakarta, Indonesia
DOI: https://doi.org/10.30812/matrik.v22i3.3018
Keywords: Network forensic, Security, Vulnerability, Web servers

Abstract

One of dangerous vulnerabilities that attack the web is SQLi. With this vulnerability, someone can obtain user data information, then change and delete that data. The solution to this attack problem is that the design website must improve security by paying attention to input validation and installing a firewall. This study's objective is to use network forensic tools to examine the designlink website's security against SQLi attacks, namely Whois, SSL Scan, Nmap, OWASP Zap, and SQL Map. OWASP is the framework that is employed; it is utilized for web security testing. According to the research findings, there are 14 vulnerabilities in the design website, with five medium level, seven low level, and two informational level. When using SQL commands with the SQL Map tool to get username and password information on its web server design. The OWASP framework may be used to verify the security of websites against SQLi attacks using network forensic tools, according to the study's findings. So that information about the vulnerabilities found on the website can be provided. The results of this study contribute to forensic network knowledge against SQLi attacks using the OWASP framework as well as for parties involved in website security.

Downloads

Download data is not yet available.

References

[1] I. N. T. A. Putra, “Development of a QR Code-Based Inventory System Using Web Services in the Field of Facilities and Infrastructure of Stmik Stikom Indonesia,” J. Nas. Pendidik. Tek. Inform., vol. 7, no. 3, pp. 315–323, 2019, doi: 10.23887/janapati.v7i3.16658.
[2] I. Riadi, D. Aprilliansyah, and S. Sunardi, “Mobile Device Security Evaluation using Reverse TCP Method,” Kinet. Game Technol. Inf. Syst. Comput. Network, Comput. Electron. Control, vol. 4, no. 3, pp. 289–298, 2022, doi: 10.22219/kinetik.v7i3.1433.
[3] Bangkit Wiguna, W. Adi Prabowo, and R. Ananda, “Implementation of Web Application Firewall in Preventing SQL Injection Attacks on Websites,” Digit. Zo. J. Teknol. Inf. dan Komun., vol. 11, no. 2, pp. 245–256, 2020, doi: 10.31849/digitalzone.v11i2.4867.
[4] A. Purwanto and A. W. R. Emanuel, “The state of website security response headers in Indonesia banking,” AIP Conf. Proc., vol. 2296, no. November, pp. 1–8, 2020, doi: 10.1063/5.0030359.
[5] D. Kellezi, C. Boegelund, and W. Meng, “Securing Open Banking with Model-View-Controller Architecture and OWASP,” Wirel. Commun. Mob. Comput., vol. 2021, pp. 1–13, 2021, doi: 10.1155/2021/8028073.
[6] I. Iskandar, E. Resdifa, “Application of Radial Basis Function Method with Dynamic Number of Centers for Classification of Computer Network Attacks,” J. CoreIT J. Has. Penelit. Ilmu Komput. dan Teknol. Inf., vol. 5, no. 2, pp. 78–85, 2020, [Online]. Available: http://ejournal.uin-suska.ac.id/index.php/coreit/article/view/8193.
[7] K. Goel and A. H. M. T. Hofstede, “Privacy-Breaching Patterns in NoSQL Databases,” IEEE Access, vol. 9, no. 5, pp. 35229–35239, 2021, doi: 10.1109/ACCESS.2021.3062034.
[8] M. Fierza and E. Erlangga, “Analysis of Security Gaps in E-Commerce Website Development (Case Study: Mataharimu. com ),” J. Ilm. Comput. Insight, vol. 3, no. 2, pp. 20–27, 2021, [Online]. Available: https://journal.um-surabaya.ac.id/index.php/CI/article/view/14535/5288.
[9] Pramono, A. Sunyoto, and E. Pramono, “SQL Injection attack detection using hidden markov model,” J. Tecnoscienza, vol. 5, no. 2, pp. 243–256, 2021, doi: 10.51158/tecnoscienza.v5i2.432.
[10] S. Suharti, A. Yudhana, and I. Riadi, “DDoS Network Forensics using ADDIE and HIDS Methods on Proprietary Operating Systems,” MATRIK J. Manajemen, Tek. Inform. dan Rekayasa Komput., vol. 21, no. 3, pp. 567–582, 2022, doi: 10.30812/matrik.v21i3.1732.
[11] A. Anggrawan, R. Azhar, B. K. Triwijoyo, and M. Mayadi, “Developing Application in Anticipating DDoS Attacks on Server Computer Machines,” MATRIK J. Manajemen, Tek. Inform. dan Rekayasa Komput., vol. 20, no. 2, pp. 427–434, 2021, doi: 10.30812/matrik.v20i2.410.
[12] M. García Valls and L. Song, “Improving the security of web servers in critical IoT systems through self-monitoring of vulnerabilities,” Sensors, vol. 22, no. 13, pp. 1–17, 2022, doi: https://doi.org/10.3390/s22135004.
[13] B. Mburano and W. Si, “Evaluation of web vulnerability scanners based on OWASP benchmark,” 26th Int. Conf. Syst. Eng. ICSEng - Proc., vol. 12, pp. 11068–11076, 2019, doi: 10.1109/ICSENG.2018.8638176.
[14] T. Hardiani, D. Wijayanto, N. Latifah, P. Studi, and T. Informasi, “Data Security Analysis with OWASP framework on Website XYZ,” vol. 6, no. 01, pp. 10–20, 2022, doi: http://dx.doi.org/10.29406/cbn.v6i01.3953.
[15] M. N. Hafizh, I. Riadi, and A. Fadlil, “Network Forensics Against ARP Spoofing Attacks using Live Forensic Method,” J. Telekomun. dan Komput., vol. 10, no. 2, pp. 111–120, 2020, doi: 10.22441/incomtech.v10i2.8757.
[16] F. M. M. Mokbal, W. Dan, A. Imran, L. Jiuchuan, F. Akhtar, and W. Xiaoxi, “MLPXSS: An Integrated XSS-Based Attack Detection Scheme in Web Applications Using Multilayer Perceptron Technique,” IEEE Access, vol. 7, pp. 100567–100580, 2019, doi: 10.1109/ACCESS.2019.2927417.
[1] I. N. T. A. Putra, “Development of a QR Code-Based Inventory System Using Web Services in the Field of Facilities and Infrastructure of Stmik Stikom Indonesia,” J. Nas. Pendidik. Tek. Inform., vol. 7, no. 3, pp. 315–323, 2019, doi: 10.23887/janapati.v7i3.16658.
[2] I. Riadi, D. Aprilliansyah, and S. Sunardi, “Mobile Device Security Evaluation using Reverse TCP Method,” Kinet. Game Technol. Inf. Syst. Comput. Network, Comput. Electron. Control, vol. 4, no. 3, pp. 289–298, 2022, doi: 10.22219/kinetik.v7i3.1433.
[3] Bangkit Wiguna, W. Adi Prabowo, and R. Ananda, “Implementation of Web Application Firewall in Preventing SQL Injection Attacks on Websites,” Digit. Zo. J. Teknol. Inf. dan Komun., vol. 11, no. 2, pp. 245–256, 2020, doi: 10.31849/digitalzone.v11i2.4867.
[4] A. Purwanto and A. W. R. Emanuel, “The state of website security response headers in Indonesia banking,” AIP Conf. Proc., vol. 2296, no. November, pp. 1–8, 2020, doi: 10.1063/5.0030359.
[5] D. Kellezi, C. Boegelund, and W. Meng, “Securing Open Banking with Model-View-Controller Architecture and OWASP,” Wirel. Commun. Mob. Comput., vol. 2021, pp. 1–13, 2021, doi: 10.1155/2021/8028073.
[6] I. Iskandar, E. Resdifa, “Application of Radial Basis Function Method with Dynamic Number of Centers for Classification of Computer Network Attacks,” J. CoreIT J. Has. Penelit. Ilmu Komput. dan Teknol. Inf., vol. 5, no. 2, pp. 78–85, 2020, [Online]. Available: http://ejournal.uin-suska.ac.id/index.php/coreit/article/view/8193.
[7] K. Goel and A. H. M. T. Hofstede, “Privacy-Breaching Patterns in NoSQL Databases,” IEEE Access, vol. 9, no. 5, pp. 35229–35239, 2021, doi: 10.1109/ACCESS.2021.3062034.
[8] M. Fierza and E. Erlangga, “Analysis of Security Gaps in E-Commerce Website Development (Case Study: Mataharimu. com ),” J. Ilm. Comput. Insight, vol. 3, no. 2, pp. 20–27, 2021, [Online]. Available: https://journal.um-surabaya.ac.id/index.php/CI/article/view/14535/5288.
[9] Pramono, A. Sunyoto, and E. Pramono, “SQL Injection attack detection using hidden markov model,” J. Tecnoscienza, vol. 5, no. 2, pp. 243–256, 2021, doi: 10.51158/tecnoscienza.v5i2.432.
[10] S. Suharti, A. Yudhana, and I. Riadi, “DDoS Network Forensics using ADDIE and HIDS Methods on Proprietary Operating Systems,” MATRIK J. Manajemen, Tek. Inform. dan Rekayasa Komput., vol. 21, no. 3, pp. 567–582, 2022, doi: 10.30812/matrik.v21i3.1732.
[11] A. Anggrawan, R. Azhar, B. K. Triwijoyo, and M. Mayadi, “Developing Application in Anticipating DDoS Attacks on Server Computer Machines,” MATRIK J. Manajemen, Tek. Inform. dan Rekayasa Komput., vol. 20, no. 2, pp. 427–434, 2021, doi: 10.30812/matrik.v20i2.410.
[12] M. García Valls and L. Song, “Improving the security of web servers in critical IoT systems through self-monitoring of vulnerabilities,” Sensors, vol. 22, no. 13, pp. 1–17, 2022, doi: https://doi.org/10.3390/s22135004.
[13] B. Mburano and W. Si, “Evaluation of web vulnerability scanners based on OWASP benchmark,” 26th Int. Conf. Syst. Eng. ICSEng - Proc., vol. 12, pp. 11068–11076, 2019, doi: 10.1109/ICSENG.2018.8638176.
[14] T. Hardiani, D. Wijayanto, N. Latifah, P. Studi, and T. Informasi, “Data Security Analysis with OWASP framework on Website XYZ,” vol. 6, no. 01, pp. 10–20, 2022, doi: http://dx.doi.org/10.29406/cbn.v6i01.3953.
[15] M. N. Hafizh, I. Riadi, and A. Fadlil, “Network Forensics Against ARP Spoofing Attacks using Live Forensic Method,” J. Telekomun. dan Komput., vol. 10, no. 2, pp. 111–120, 2020, doi: 10.22441/incomtech.v10i2.8757.
[16] F. M. M. Mokbal, W. Dan, A. Imran, L. Jiuchuan, F. Akhtar, and W. Xiaoxi, “MLPXSS: An Integrated XSS-Based Attack Detection Scheme in Web Applications Using Multilayer Perceptron Technique,” IEEE Access, vol. 7, pp. 100567–100580, 2019, doi: 10.1109/ACCESS.2019.2927417.
[17] Y. Yudiana, A. Elanda, and R. L. Buana, “Quality Analysis of Website-Based E-Office Information System Security at STMIK Rosma Using OWASP Top 10,” CESS (Journal Comput. Eng. Syst. Sci., vol. 6, no. 2, pp. 185–191, 2021, doi: 10.24114/cess.v6i2.24777.
[18] I. Riadi, R. Umar, and T. Lestari, “Vulnerability Analysis of Cross Site Scripting (XSS) Attacks on Smart Payment Applications Using OWASP Framework,” JISKA (Jurnal Inform. Sunan Kalijaga), vol. 5, no. 3, pp. 146–152, 2020, doi: 10.14421/jiska.2020.53-02.
[19] A. Alanda, D. Satria, H. A. Mooduto, and B. Kurniawan, “Mobile Application Security Penetration Testing Based on OWASP,” IOP Conf. Ser. Mater. Sci. Eng., vol. 846, no. 1, pp. 1–13, 2020, doi: 10.1088/1757-899X/846/1/012036.
[20] R. Hermawan, “Web Server Penetration Test Techniques Using SQL Injection with SQLmap on Kalilinux,” STRING (Satuan Tulisan Ris. dan Inov. Teknol., vol. 6, no. 2, pp. 210–216, 2021, doi: 10.30998/string.v6i2.11477.
[21] T. D. P. Irwansyah, “Information System Security Evaluation at South Sumatra Provincial Government Institutions,” no. November, pp. 1–14, 2022.
[22] A. Evwiekpaefe, A. E. Evwiekpaefe, and I. Habila, “Implementing SQL Injection Vulnerability Assessment of an E-commerce Web Application using Vega and Nikto Tools,” © Afr. J. Comp. ICT, vol. 14, no. 1, pp. 1–8, 2021, [Online]. Available: https://afrjcict.net.
[23] E. Darwis, Junaedy, and I. A. Musdar, “Website Renovaction Vulnerability Analysis Using Security Tools Project Suite Based on OWASP Framework,” KHARISMA Tech, vol. 17, no. 1, pp. 1–15, 2022, doi: 10.55645/kharismatech.v17i1.170.
[24] A. D. Djayali, “Analysis of SQL Injection Attacks on Online Study Plan Card (KRS) Charging Server,” J. Manaj. Inform. dan Komput., vol. 1, no. 1, pp. 16–24, 2020, [Online]. Available: https://jurnal.aikomternate.ac.id/index.php/jaminfokom.
[25] D. P. Anggraeni, B. P. Zen, and M. Pranata, “Security Analysis on Websites using the Information System Assessment Framework (ISSAF) and Open Web Application Security Version 4 (OWASP 4) Using The Penetration Testing Method,” Jurnal Pertahanan., vol. 8, no. 3, pp. 497–506, 2022.
[26] D. Priyawati, S. Rokhmah, and I. C. Utomo, “Website Vulnerability Testing and Analysis of Internet Management Information System Using OWASP,” Int. J. Comput. Inf. Syst. Peer Rev. J., vol. 03, no. 03, pp. 2745–9659, 2022, [Online]. Available: https://ijcis.net/index.php/ijcis/index.
[27] G. Guntoro, L. Costaner, and M. Musfawati, “Web Server Open Journal System (OJS) Security Analysis Using ISSAF and OWASP Methods (Case Study of OJS Lancang Kuning University),” JIPI (Jurnal Ilm. Penelit. dan Pembelajaran Inform., vol. 5, no. 1, p. 45, 2020, doi: 10.29100/jipi.v5i1.1565.
[28] B. Ghozali, K. Kusrini, and S. Sudarmawan, “Detect website application security vulnerabilities using the OWASP (Open Web Application Security Project) method for risk rating assessment,” Creat. Inf. Technol. J., vol. 4, no. 4, pp. 264–275, 2019, doi: 10.24076/citec.2017v4i4.119.
[29] I. G. A. S. Sanjaya, “Evaluation of the Security of the X Institute Website through Penetration Testing Using the ISSAF Framework,” J. Ilm. Merpati, vol. 8, no. 2, pp. 113–124, 2020.
[30] B. Subana, A. Fadlil, and Sunardi, “Web Server Security Analysis Using The OWASP Mantra Method,” Mobile-Based Natl. Univ. Online Libr. Appl. Des., vol. 4, no. 3, pp. 1–7, 2020, [Online]. Available: http://iocscience.org/ejournal/index.php/mantik/article/view/882/595.
[31] A. P. Armadhani, D. Nofriansyah, and K. Ibnutama, “Security Analysis to Determine Vulnerability in DVWA Lab Esting Using OWASP Standard Penetration Testing,” J. SAINTIKOM (Jurnal Sains Manaj. Inform. dan Komputer), vol. 21, no. 2, pp. 80–88, 2022, doi: 10.53513/jis.v21i2.6119.
Published
2023-07-06
How to Cite
Riadi, I., Fadlil, A., & Mu’min, M. (2023). OWASP Framework-based Network Forensics to Analyze the SQLi Attacks on Web Servers. MATRIK : Jurnal Manajemen, Teknik Informatika Dan Rekayasa Komputer, 22(3), 481-494. https://doi.org/https://doi.org/10.30812/matrik.v22i3.3018
Issue
Vol 22 No 3 (2023)
Section
Articles
Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.