Академический Документы
Профессиональный Документы
Культура Документы
ISSN 2250-3153
I. INTRODUCTION
Today’s Web
applications contain
dangerous security
flaws. The global
distribution of these
applications makes
them prone to attacks
that uncover and
maliciously exploit a
variety of security
vulnerabilities [1]. ISO
27005 defines
vulnerability as “a
weakness of an asset or
group of assets that can
be exploited by one or
more threats where an
asset is anything that
can has value to the
organization, its
business operations
and their continuity,
including information
resources that support
the organization's
mission” [2].
According to National
Vulnerability Database
(NVD) [3] the number
of vulnerabilities has
approximately three
times increased since 2011. This is shown in Figure1.
www.ijsrp.org
International Journal of Scientific and Research Publications, Volume 6, Issue 6, June 2016 661
ISSN 2250-3153
What is the false-positive rate of the web vulnerability
these tools are available in the market but question becomes how scanners tested when used in a web services
efficient they are to address security concerns in WEB environment?
applications? To compare vulnerability detection rate of different What are the most common types of vulnerabilities in
scanners, it is important to have an independent test suite. Web web services environments?
vulnerability scanners are often regarded as an easy way to test
applications against vulnerabilities. In fact, vulnerability scanners
provide an automatic way to search for vulnerabilities avoiding II. EXPERIMENTAL DETAILS
the repetitive and tedious task of doing hundreds or even In Broad our experimental study consisted of five steps:
thousands of tests by hand for each vulnerability type. Most of i. Web Application: Design a web application that
these scanners are commercial tools (e.g., IBM Rational implements all the vulnerabilities from OWASP Top Ten
AppScan[5] and HP WebInspect[6]) but there are also some free report also select publically available web application
application scanners (e.g., Acunetix[7], Netsparker[8], Burp services.
Suite[9], Foundstone WSDigger[10] and Wsfuzzer[11]) with ii. Vulnerability Scanner: Select the free web application
limited use, as they lack most of the functionalities of their vulnerability scanners.
commercial counterparts. iii. Execution: Use the vulnerability scanners to scan the
This paper describes a web application, which is intended services to identify potential vulnerabilities.
to be used to evaluate the efficiency of Netsparker, Burp Suite iv. Verification: Perform manual testing to confirm that the
and Acunetix web application vulnerability scanners. The vulnerabilities identified by the scanners do exist (i.e.,
application implements real life scenarios for OWASP Top Ten are not false positives).
Security Risks [12]. For several vulnerabilities presented in this v. Analysis: Analyze the results obtained and systematize
application, we also explain defense measures, which secure the
the lessons learned.
application significantly.
There are several existing web applications to demonstrate
1.1 OWASP Web Application Security Risks
common web application vulnerabilities such as “HacMe” series
The OWASP security community has released its annual
[13] and “WebGoat” [14]. “WebGoat” is mainly used in
report in 2015 capturing the top risks in web application
educational purposes. But we want to implement vulnerabilities
development as a combination of the probability of an event and
from OWASP Top Ten report, which is not possible with these
its consequence [12].
web applications. Because of these drawbacks of available
The list of the top risks in web applications is as follows:
applications, there is a need to have an independent Web
A1 Injection
Application, which implements OWASP Top Ten vulnerabilities,
A2 Broken Authentication and Session Management (XSS)
to be used to test these web scanners. We design a web
A3 Cross Site Scripting (XSS)
application (“shopatujjain”) to simulate the steps a regular user
A4 Insecure Direct Object References
goes through while using a dynamic web page and replicates the
A5 Security Misconfiguration
behavior. The availability of source code and the control over
A6 Sensitive Data Exposure
server results provides better evaluation of web application
A7 Missing Function Level Access Control
scanners.
A8 Cross Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities Main functionalities of the application are:
A10 Unvalidated Redirects and Forwards First a user creates an account and provides his/her
personal data including shipping address and credit card
The two most common risks in the Web environment are details.
SQL injection, which lets attackers alter SQL queries sent to a
Kedua ia / dia memilih produk dan menyimpan seleksi
database and cross-site scripting (XSS). Injection attacks take
di keranjang belanja pribadi.
advantage of improperly coded applications to insert and execute
Kemudian, ketika pengguna memutuskan untuk
attacker-specified commands, enabling access to critical data and
melakukan pembelian faktur ditempatkan dalam antrian
resources. XSS vulnerabilities exist when an application sends
user-supplied data to a Web browser without first validating or untuk diproses lebih lanjut.
encoding that content. Selain itu pengguna dapat menambahkan ulasan untuk
In web application described in this paper, we implement produk dan membaca pendapat, newsletter pelanggan
OWASP top vulnerabilities A1, A2, A3 and A5. lain dan berlangganan ke milis.
In this paper we used two free web application vulnerability
scanners to identify security flaws in web application. Our main
objective is to study the effectiveness of the scanners and to try III. METODOLOGI
to identify common types of vulnerabilities in web application The “shopatujjain” Aplikasi Web adalah PHP aplikasi
environments. In summary, our practical experiment report berbasis, yang digunakan pada Apache Tomcat Server.
focuses on the following three questions: Menggunakan database di MySQL untuk menyimpan data untuk
What is the coverage of the vulnerability scanners tested situs web dalam tabel nya. Aplikasi menggunakan PHP untuk
when used in a web services environment? menyajikan user interface. Ini juga menggunakan HTML, CSS,
JavaScript, dan teknologi AJAX. Kehadiran teknologi seperti
AJAX dan JavaScript di kami
www.ijsrp.org
International Journal of Penelitian Ilmiah dan Publikasi, Volume 6, Edisi 6, Juni 2016 662
ISSN 2250-3153
mechanism does not provide enough protection, an attacker can
web application gives additional opportunities. JavaScript is try to obtain credentials by using different techniques or some
widely used in modern web applications and it is important to other combination. Simple password recovery mechanisms can
analyze the behavior of tools and their ability to parse JavaScript become victims of a social engineer who manipulates a user into
code. revealing confidential information.
The web application developed is based on OWASP Top
Ten report of 2014. In this section we go over the characteristics
of vulnerabilities presented in the Web Application.
1.1 SQL Injection Vulnerability
User has provided his/her credentials, username and
password via web application. Web application has stored the
user data to the SQL server. An attacker crafts HTTP requests
that are sent to the web server to inject commands to the SQL
server in order to gain system level access [15]. The vulnerable
web application allows this malicious code to be placed on an
SQL server, thus making it possible for the attacker to use SQLI
commands to get user account credentials.
www.ijsrp.org
International Journal of Scientific and Research Publications, Volume 6, Issue 6, June 2016 663
ISSN 2250-3153
Referer: http:// vulnerableApp.com/displayAccountPassword
a web browser, avoiding the server side [16]. The DOM Cookie:
‘environment’ in the victim’s browser is modified by JSESSIONID=98224C7236B39895384AD3A760E405AB
original client-side script, and as a result of that, the While using the POST method, form data appears within the
payload is executed. message body of the HTTP request, not the URL. Thus,
password information is not revealed. To avoid security
misconfigurationvulnerability inthe aboveexample, the
www.ijsrp.org
International Journal of Scientific and Research Publications, Volume 6, Issue 6, June 2016
ISSN 2250-3153
With Top 10 Secure Coding Practices for each vulnerability Configuration
type, we provide the defense mechanism for top four
vulnerabilities out of top ten OWASP vulnerabilities.
www.ijsrp.org
International Journal of Scientific and Research Publications, Volume 6, Issue 6, June 2016 665
ISSN 2250-3153
1.9 Netsparker
Netsparker does not require a brief knowledge to use the
tool, it has a very good user interface, and it does a decent job
detecting the most important vulnerabilities [8]. It has good
reporting features that are easy to read and intuitively designed.
Moreover it has ability to confirm detected vulnerabilities. This
feature can be a real time saver as the tester does not need to Ada beberapa WAVS gratis yang tersedia di pasar. Kami
validate those vulnerabilities that have been confirmed by Ulasan tiga dari mereka: Acunetix Web Application Scanner
Netsparker. The scanning results of Netsparker are shown below (WAS), Netsparker Web Vulnerability Scanner dan Burp Suite
Web Vulnerability Scanner (WVS). Semua WAVS mengikuti
strategi umum: pertama mereka merangkak situs korban web,
maka mereka membuat dan memasukkan muatan, dan akhirnya
mereka menganalisis respon. Kami telah memilih scanner ini
karena mereka menyediakan fitur itu; mereka mengidentifikasi
semua jenis kerentanan yang tercantum dalam laporan OWASP
Top Ten
PENILAIAN WEB APLIKASI SCANNERS KERENTANAN
Hasil Web Vulnerability Scanner Acunetix, Netsparker dan
Burp Suite ditunjukkan pada Tabel 1. Tabel yang berisi data
sebagai berikut:
Kolom pertama merupakan nomor seri.
Kolom kedua mewakili jumlah kerentanan yang diambil
dari Top Ten OWASP kerentanan.
Kolom ketiga mewakili kerentanan yang disajikan
dalam tes suite.
Kolom keempat menunjukkan berbagai jenis kerentanan
disajikan di kolom ketiga.
Kolom kelima berisi jumlah kerentanan terdeteksi oleh
Acunetix WAVS.
Kolom keenam berisi jumlah kerentanan terdeteksi oleh
1.10 Burp Suite Netsparker WAVS.
Bersendawa mudah digunakan dan intuitif, yang Kolom terakhir merupakan jumlah kerentanan terdeteksi
memungkinkan pengguna baru untuk mulai bekerja segera. oleh Burp Suite WAVS.
Bersendawa juga sangat dapat dikonfigurasi, dan berisi banyak
fitur canggih untuk membantu para penguji paling
berpengalaman dengan pekerjaan mereka. Hasil pemindaian
Burp Suite ditunjukkan di bawah ini
www.ijsrp.org
International Journal of Penelitian Ilmiah dan Publikasi, Volume 6, Edisi 6, Juni 2016 666
ISSN 2250-3153
Burp Suite scanner gagal menemukan beberapa
kerentanan SQL Injection, yang tidak dilakukan
Tabel: Hasil penilaian WAVS segera.
OWA OWA
SP
S SP Vulne
melapor Acuneti Netspar Sendaw
N Vulne rabilit
kan a
Hai 2015 rabiliti y Type x ker Rangkai
an
Mati rasa
es
er
SQL
1 A1 injecti 15 4 7
di
Rusak sandi
batasan
Authen ord 5 0 2
ticatio Guessi
2 A2 n dan ng
Sessio
n Kasar 1 1 0
Manag Memaks
a
ement
Non-
bersiker 9 9 2
as
ent
Menyeb XSS
erang
3 A3 situs bersikera
s
Scripti ent 1 3 1
ng XSS
DOM 3 1 0
XSS
sandi
batasan
ord
mengiri 5 5 5
m
melalui
securit MEND
APATK
AN
metho
y
d
4 A5 Misco
jaringan
nfigura
Server 2 0 2
tion
DDoS
Sensiti
ve 0 4 2
Data
pameran
Unt 40 27 18
uk
tal
XSS
1.14 Keamanan Misconfiguration: Semua scanner dapat Gugatan
konfgurasi
SQL Injection
pembuktian keaslian
kesalahan
menemukan kerentanan Kata mendapatkan melalui
Metode GET. Acunetix Scanner terjawab Sensitif
kerentanan data Display.
VII.C ONCLUSIONS
Makalah ini menggambarkan OWASP Top 10 Risiko
Keamanan diimplementasikan dalam aplikasi web, yang digunakan
sebagai testset untuk evaluasi efektivitas Acunetix scanner Hasil penelitian menunjukkan bahwa baik Acunetix dan
kerentanan aplikasi web, Netsparker aplikasi web scanner Netsparker scanner dapat menemukan XSS situs lintas scripting
kerentanan dan Burp Suite aplikasi web scanner kerentanan. Kami tapi Bersendawa hasil Gugatan sangat miskin. Untuk SQL
memilih empat kerentanan dari Top 10 Risiko OWASP Keamanan Injection Acunetix mendeteksi semua kerentanan. hasil scan dari
untuk evaluasi tiga Scanner Kerentanan Aplikasi Web menonjol. Acunetix WAVS Broken Authentication dan Session
Evaluasi tiga Scanner Kerentanan Aplikasi Web yang menonjol Management kerentanan yang lebih baik dari dua scanner
dilakukan dengan menganalisis hasil yang diperoleh dari lainnya. Tapi Keamanan Misconfiguration kerentanan tidak
pelaksanaan scanner web terhadap aplikasi web yang rentan, benar ditemukan oleh Acunetix, dalam hal ini hasil Netsparker
kemudian membandingkan jumlah kerentanan terdeteksi. dan Burp Scanner suit yang lebih baik.
Perbandingan dari tiga scanner yang dipilih ditunjukkan oleh Hasil penelitian menunjukkan bahwa merangkak telah
grafik berikut: meningkat secara signifikan, meskipun masih ada keterbatasan
yang mempengaruhi tingkat deteksi kerentanan seperti SQLI
16 dan XSS.
www.ijsrp.or
g
International Journal of Penelitian Ilmiah dan Publikasi, Volume 6, Edisi 6, Juni 2016 667
ISSN 2250-3153
[10] Foundstone WSDigger, 2008,
Selama beberapa kerentanan yang disajikan dalam aplikasi http://www.foundstone.com/us/resources/proddesc/wsdigger.htm
ini, kami juga menjelaskan langkah-langkah pertahanan, yang [11] wsfuzzer 2008, http://www.neurofuzz.com/modules/software/wsfuzzer.php
mengamankan aplikasi secara signifikan. Hasil evaluasi aplikasi [12] https://www.owasp.org/images/0/0f/OWASP_T10_-_2015_rc1.pdf
web mengidentifikasi kerentanan yang paling menantang bagi [13] Foundstone Hacme Series. McAfee Corp
scanner untuk mendeteksi, dan membandingkan efektivitas [14] WebGoat Project. OWASP.
http://www.owasp.org/index.php/Category:OWASP WebGoat Project
scanner. Hasil penilaian dapat menyarankan daerah yang
membutuhkan penelitian lebih lanjut untuk meningkatkan tingkat
deteksi scanner.
REFERENSI
[1] Sarasan S. “Deteksi dan Pencegahan Web Serangan Keamanan Aplikasi”,
International Journal of Advanced Teknik Elektro dan Elektronika,
(IJAEEE), ISSN (Cetak): 2278-8948, Volume-2, Edisi-3, 2013, hlm 29-. 34.
[2] Organisasi Internasional untuk Standardisasi dan International
Electrotechnical Commission. ISO / IEC 27001: 2005, Teknologi informasi
- Teknik keamanan - sistem informasi manajemen keamanan - persyaratan,
2005.
[3] Nasional Kerentanan Database, http://nvd.nist.gov
[4] N. Antunes dan M. Vieira, "Meningkatkan Penetrasi Pengujian dengan
Serangan Signatures dan Interface Pemantauan untuk Deteksi Kerentanan
Injeksi di Web Services," Proc. IEEE Int'l Conf. Layanan Komputasi (SCC
11), IEEE CS 2011, hlm. 104-111.
[5] IBM Rational AppScan, 2008, http://www-
01.ibm.com/software/awdtools/appscan/
[6] HP WebInspect, 2008, http://www.hp.com
[7] Acunetix Web Vulnerability Scanner, 2008, http:
//www.acunetix.com/vulnerability-scanner/
[8] Netsparker Web Vulnerability Scanner, 2012,
https://www.netsparker.com/web-vulnerability-scanner/
[9] Bersendawa Gugatan Web Vulnerability Scanner,
https://portswigger.net/burp/
[15] K. K. Mookhey, Nilesh Burghate, Detection of SQL Injection and Cross-site [23] Apache Software Foundation. “Tips Keamanan, V 2,5”, 2011. Diperoleh
Scripting Attacks, Symantec Connect Community, 02 November 2010 2014, dari: http://httpd.apache.org/docs/2.0/misc/security_tips.html
[16] J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song, “A [24] Hitam, PE, Fong, E., Okun, V., & Gaucher, R. Institut Nasional Standar dan
Systematic Analysis of XSS Sanitization in Web Application Frameworks”, Teknologi (NIST). “Software Assurance Tools: Web Application Security
University of California, Berkeley, 2011 Scanner Spesifikasi Fungsional”
[17] The OWASP Foundation, “OWASP Top Ten Web Application Security [25] Vieira M, Antunes N, Madeira H. “Menggunakan Scanner Keamanan Web
Risks”, Mendeteksi Kerentanan dalam Web Services”, Coimbra - 2015
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, 2015
[18] Oracle Documentation. “Using Prepared Statements”, 2011. Retrieved 2012
from: http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html
[19] Yang Guang, JJ, & Jipeng, H. “interaksi Sistem modul stres berdasarkan PENULIS
pengujian model”, 2014. Konferensi Internasional Kedua tentang Teknik pertama Penulis - Chanchala Joshi, Institut Ilmu Komputer
dan Aplikasi Komputer, (pp. 138-141) Bali Pulau
Vikram University, Ujjain, MP India,
[20] Neto, AA, Duraes, J., Vieira, M., & Madeira, H. “Menilai dan
Membandingkan Keamanan Web Server”, 2008. 14 IEEE Pacific chanchala.joshi@gmail.com
Simposium Internasional diandalkan Computing. IEEE Computer Society Penulis kedua - Umesh Kumar Singh, Institut Ilmu
[21] Shekyan, S. Qualys Komunitas. “Mengidentifikasi Lambat HTTP Serangan Komputer, Vikram Universitas Ujjain, MP India
Kerentanan pada Aplikasi Web”, 2013 umeshksingh1@gmail.com
[22] Shekyan, S. Qualys Komunitas. “Cara Melindungi Terhadap Serangan
HTTP Lambat”, 2014
www.ijsrp.org