Web Application Penetration Testing Using SQL Injection Attack
DOI: http://dx.doi.org/10.30630/joiv.5.3.470
Abstract
A web application is a very important requirement in the information and digitalization era. With the increasing use of the internet and the growing number of web applications, every web application requires an adequate security level to store information safely and avoid cyber attacks. Web applications go through rapid development phases with short turnaround times, challenging to eliminate vulnerabilities. The vulnerability on the web application can be analyzed using the penetration testing method. This research uses penetration testing with the black-box method to test web application security based on the list of most attacks on the Open Web Application Security Project (OWASP), namely SQL Injection. SQL injection allows attackers to obtain unrestricted access to the databases and potentially collecting sensitive information from databases. This research randomly tested several websites such as government, schools, and other commercial websites with several techniques of SQL injection attack. Testing was carried out on ten websites randomly by looking for gaps to test security using the SQL injection attack. The results of testing conducted 80% of the websites tested have a weakness against SQL injection attacks. Based on this research, SQL injection is still the most prevalent threat for web applications. Further research can explain detailed information about SQL injection with specific techniques and how to prevent this attack.
Keywords
Full Text:
PDFReferences
D. Satria, A. Alanda, A. Erianda, and D. Prayama, “Network Security Assessment Using Internal Network Penetration Testing Methodology,†JOIV Int. J. Informatics Vis., 2018.
S. Nagpure and S. Kurkure, “Vulnerability Assessment and Penetration Testing of Web Application,†in 2017 International Conference on Computing, Communication, Control and Automation, ICCUBEA 2017, 2018.
V. Casola, A. De Benedictis, M. Rak, and U. Villano, “A methodology for automated penetration testing of cloud applications,†Int. J. Grid Util. Comput., vol. 11, no. 2, 2020.
A. Sadeghian, M. Zamani, and S. Ibrahim, “SQL injection is still alive: A Study on SQL injection signature evasion techniques,†in Proceedings - 2013 International Conference on Informatics and Creative Multimedia, ICICM 2013, 2013.
I. Jemal, O. Cheikhrouhou, H. Hamam, and A. Mahfoudhi, “SQL Injection Attack Detection and Prevention Techniques Using Machine Learning,†Int. J. Appl. Eng. Res., vol. 15, no. 6, 2020.
F. Q. Kareem et al., “SQL Injection Attacks Prevention System Technology: Review,†Asian J. Res. Comput. Sci., 2021.
M. A. M. Yunus, M. Z. Brohan, N. M. Nawi, E. S. M. Surin, N. A. M. Najib, and C. W. Liang, “Review of SQL injection: Problems and prevention,†Int. J. Informatics Vis., vol. 2, no. 3–2, pp. 215–219, 2018.
M. Liu, K. Li, and T. Chen, “DeepSQLi: Deep semantic learning for testing SQL injection,†in ISSTA 2020 - Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, 2020.
A. Alanda, D. Satria, H. A. Mooduto, and B. Kurniawan, “Mobile Application Security Penetration Testing Based on OWASP,†in IOP Conference Series: Materials Science and Engineering, 2020.
P. S. Shinde and S. B. Ardhapurkar, “Cyber security analysis using vulnerability assessment and penetration testing,†in IEEE WCTFTR 2016 - Proceedings of 2016 World Conference on Futuristic Trends in Research and Innovation for Social Welfare, 2016.
I. Yaqoob, S. A. Hussain, S. Mamoon, N. Naseer, J. Akram, and A. Ur Rehman, “Penetration Testing and Vulnerability Assessment,†J. Netw. Commun. Emerg. Technol. www.jncet.org, vol. 7, no. 8, pp. 10–18, 2017.
L. Epling, B. Hinkel, and Y. Hu, “Penetration testing in a box,†in Proceedings of the 2015 Information Security Curriculum Development Conference on - InfoSec ’15, 2015, pp. 1–4.
A. Chowdhary, D. Huang, J. S. Mahendran, D. Romo, Y. Deng, and A. Sabur, “Autonomous security analysis and penetration testing,†in Proceedings - 2020 16th International Conference on Mobility, Sensing and Networking, MSN 2020, 2020.
Owasp, OWASP Top 10 - 2013. 2013.
Z. C. S. S. Hlaing and M. Khaing, “A Detection and Prevention Technique on SQL Injection Attacks,†in 2020 IEEE Conference on Computer Applications, ICCA 2020, 2020.
G. Deepa, P. S. Thilagam, F. A. Khan, A. Praseed, A. R. Pais, and N. Palsetia, “Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications,†Int. J. Inf. Secur., 2018.
Q. Li, F. Wang, J. Wang, and W. Li, “LSTM-Based SQL Injection Detection Method for Intelligent Transportation System,†IEEE Trans. Veh. Technol., 2019.
Q. Li, W. Li, J. Wang, and M. Cheng, “A SQL Injection Detection Method Based on Adaptive Deep Forest,†IEEE Access, vol. 7, 2019.
Y. Fang, J. Peng, L. Liu, and C. Huang, “WOVSQLI: Detection of SQL injection behaviors using word vector and LSTM,†in ACM International Conference Proceeding Series, 2018.
S. Sodagudi, S. K. Kotha, and M. David Raju, “Novel approaches to identify and prevent cyber-attacks in web,†in Proceedings of the 3rd International Conference on Computing Methodologies and Communication, ICCMC 2019, 2019.