Security Assessment of Web ApplicationThrough Penetration ... · 1Universitas Pembangunan Panca Budi, 2Universitas Gunadarma 1Jl. Jend. Gatot Subroto Km. 4,5 Sei Sikambing, 20122,

@IJRTER-2017, All Rights Reserved 296

Security Assessment of Web ApplicationThrough

Penetration System Techniques

Akhyar Lubis1 , Avinanta Tarigan2

1Faculty of Computer Science 1Universitas Pembangunan Panca Budi, 2Universitas Gunadarma

1Jl. Jend. Gatot Subroto Km. 4,5 Sei Sikambing, 20122, Medan, Sumatera Utara, Indonesia 2Jl. Margonda Raya No. 100, 16424, Depok, Indonesia

Abstract – The strength of a site can be tested in a way to attack. The test is penetration testing. Before

a site is released, the security on network and web application must be completely safe and tested. This

study aims to find loopholes and flaws in web applications. The object is a subject of research is the

Universitas Pembangunan Panca Budi site (www.pancabudi.ac.id). This experiment used a simulated

attack to test whether the site has adequate security. This penetration will collect information about the

power of networking, security holes, and access. The result is the recommendation for security

improvement. Concerning the results of penetration, the administrator can fix vulnerabilities that exist

on the site.

Keywords – Security, Penetration Test, Hacking, OWASP

I. INTRODUCTION

Developments in telecommunications, information technology, and the Internet is growing very

rapidly so that the information can be easily accessed and retrieved [1]. The utilization of information

technology is an absolute thing to increase the added value of companies and organizations in

delivering excellent service to customers to win the business competition. On the contrary, it will be

against the threat of attacks and data leaks. The number of computer crimes relating to information

systems will continue to increase. Each system connected to the Internet is potentially a candidate

malicious attacks. The level of attack is also increased; it is difficult to distinguish between normal and

attack behavior.

Figure 1 describes based on statistics violations shown on www.breachlevelindex.com, there are more

than 5.329.418.398 data is lost or stolen since 2013. Only 4% of infringement is safe because of the

use of encryption and the stolen data useless. From these data, the health care sector is the target of the

biggest attacks in recent years that has not changed in the first half 2016 which accounted for about a

quarter (27%) of the total. Next highest in the offense in governance is by 14% during the first half.

Source of the problem are varied; the largest is on the attack from malicious outsiders that affect the

industry and the owner of the losses.

International Journal of Recent Trends in Engineering & Research (IJRTER) Volume 03, Issue 01; January - 2017 [ISSN: 2455-1457]


Fig. 1 Breach Statistics Data

Universitas Pembangunan Panca Budi has implemented the IS/IT as a supporting system and also to

trigger business in the world of education. A very important issue for educational institutions is the

threat of a rise in attacks against information systems. Threats always come unexpectedly. It can result

in a greater risk if the risk is not managed. It is due to a combination of increasingly sophisticated

attack tools and automated, the growing number of attacks being discovered and improved user

connectivity. As the system is open to students, staff, faculty and can be accessed by the public,

information system vulnerabilities are always there and are likely to increase. The built application is

a web-based application that runs using a browser developed by the Bureau of Information Systems

Development which can be accessed by users through a network such as the Internet or intranet.

Therefore a control against threats and vulnerabilities so as to minimize the risk through vulnerability

assessment and penetration testing. Penetration testing is an important subject that should be realized

for the IT administrator.

Based on the ITE Law Article 15, the organizers of the electronic system should be organizing

electronic systems reliably and safely and is responsible for the operation of electronic systems as

appropriate. Accordingly, the identification should be carried out to see security weaknesses in

applications, computers, and networks. Evaluation of network security allow time to fix the system

before going bad. Therefore, this study will focus on web application running on a web server of Panca

Budi. Penetration testing methods used are OWASP version 4 and EC-Council.

II. RELATED WORKS

Shinde performs a security analysis in vulnerability assessment and penetration testing to exploit

vulnerabilities in the system to get a way for unauthorized access that is used to identify weaknesses that pose a threat to the application [6]. By combining packages penetration testing and vulnerability

assessments provide the detailed weaknesses and risks. To protect the integrity and confidentiality of

information organizations conduct Vulnerability Assessment and Penetration Testing (VAPT) to check

the security posture of a system with two major components associated with the analysis and discovery

of the vulnerability. By using OWASP, there were ten vulnerabilities associated common weakness

enumeration. From surveying the literature on methods VAPT, there are many tools for Prominent

VAPT and need plus a mechanism to identify changes in the assessment of vulnerability.

Dirgahayu also conduct research to conduct penetration testing by applying the method ISSAF and

OWASP version 4 for susceptibility testing web server [3]. The results of tests performed by the



method ISSAF shows that the system IKIP PGRI Madiun web server can be penetrated and taken over

administrator rights, while the methods OWASP version 4 indicates that the authentication,

authorization and session management has not been implemented properly.

Vibhandik perform testing of web application vulnerabilities by analyzing and using a combination of

tools for addressing security issues by combining W3AF (web application attack and audit framework)

and tools Nikto by referring to the model OWSP the threat of web-based applications [2]. Nikto is a

web server security testing application tool that is free and open source are implemented with perl

language. Testing approach as shown in the figure below.

Fig. 2 Vulnerability testing approach

Analysis of test results obtained showed that the combination of W3AF and Nikto tool capable of

performing inspection of their vulnerability that could lead to an attack. From pase testing "identify",

"analyze", "test" and "report" will help to achieve a penetration vulnerability assessment test that can

include most of the vulnerabilities.

Bernard Stepien and Liam Peyton tried penetration testing using TTCN-3 in a web-based modeling

approach with test cases SQL injection and XSS attacks. The experiment is conducted by combining

general purpose language with web testing framework, and the latter uses language TTCN-3 and also

combined web testing framework [7]. It determines both the model and test cases in an abstract way.

Abstraction is the key factor for reducing and also the results of the analysis.

Josip Bozic and Franz Wotawa did the web application penetration testing using PURITY whether the

website vulnerable to some common vulnerabilities such as SQL injection and cross-site scripting. It

depends on planning. This tool takes the input from the user as the www address on the application, planning definition files (PDDL), which determines the initial state and the potential actions and

potential attack vectors for use when testing applications [5]. The test results show even though the

prototype, PURITY managed to do some testing of web applications. Figure 3 shows the environmnet

of PURITY.



Fig. 3 PURITY Environtment

Nisal Madhushan Vithanage and Neera Jeyamohan also conducted research by presenting

WebGuardian penetration testing to identify the target web application vulnerabilities by OWASP to

detect this type of vulnerability like SQLI, XSS, Unvalidated Redirects and Forward, Insecure Direct

Object References and security configuration errors.

Akhyar Lubis and Andysah Putera Utama Siahaan discussed the vulnerability assessment of the

wireless penetration testing. The authors used penetration testing tool on Linux 2.0 operating system.

The target is wireless routers in Universitas Pembangunan Panca Budi [4].

III. PROPOSED WORK

The collection of information is made to collect information related to the target web application

penetration testing. The collection of information is done as much as possible to the target goal. This

is necessary before starting the process of penetration testing, ranging from careful planning and

preparation are done. The technique is scanning through a network of internal and external. Concerning

the document OWASP top 10, it summarizes 10 security flaws dangerous application so that it

becomes the basis for the next stage. The use of tools such as nmap, xprobes2 used to obtain

information through a survey scanning ports, operating system, and service enumeration.

All the information obtained is used as input to the next stage. The information note is networking, IP

addressing, operating systems, and open ports on the stage Scanning and vulnerability assessment.

Scanning and vulnerability assessment was done by using a separate network scanner, Nessus, and

OpenVAS i.e., Both scanners are configured to identify any vulnerabilities found. Once this phase is

completed followed by an exploitable vulnerability that is all identification is checked to verify

whether possible exploitation or not. To do this, it uses a Metasploit framework. The results of the risk

analysis is calculated by the following formula.

𝑅𝑖𝑠𝑘 = 𝑇ℎ𝑟𝑒𝑎𝑡 ∗ 𝑉𝑢𝑙𝑛𝑒𝑟𝑎𝑏𝑖𝑙𝑖𝑡𝑦 ∗ 𝐼𝑚𝑝𝑎𝑐𝑡

The collection of data obtained from the information gathering and exploitation to identify sources of

potential sources and how the data is collected. The data collection is done experimentally. Gray box

method is to test the vulnerability so that the data can be collected and recovered from the exploitation

which the tester is given only limited information.



The method in the analysis of web applications are:

- Input validation, test related to OS command injection, script injection, SQL injection, LDAP

injection and cross-site scripting.

- Output Sanitization, Test includes the use of special characters to check the error in the application.

- Checking for buffer overflows, stack test covers attacks against overflow, a heap overflow, and

format-string overflow.

- Access control, access control checks to access the administration interface, sends the data to be

skewed on the form, trying to query string URL, change the value of the client-side script and

cookies attack.

- Denial of Service, testing against denial of service attacks.

IV. TESTING AND IMPLEMENTATION

A. Scanning and Vulnerability Assessment

All information has been collected at this stage. There are two techniques used in scanning, manual

and automatic. However, the manual technique more time in vulnerability identification. Both methods

are still used for possible vulnerabilities in the system and the network.

The use of automated scanning and vulnerability assessment uses Nessus. It is used to perform a scan

to see the operating system used and determine the service vulnerabilities running on the target host.

The scans were used to determine whether the possible exploitation of the target host.

There are three kinds of objective scanning, such as:

- Active Devices, Operating System, IP used

- Port (open/close)

- Gap (vulnerabilities)

Based on the discovered host, scanning is done using Nessus to identify any vulnerabilities found.

Nessus scanning configuration used a web application test. The target is a host located at IP address

192.168.0.0/24. The results of this scan information contained in each host who successfully scanned.

Vulnerabilities labels are critical, high, medium, low and info. The following table is the result of the

scan using Nessus.



Table 1 Recapitulation of host susceptibility

Based on the information of the above table, it can be presented that the host is in the critical zone 2%,

high 10%, medium 25%, a low 2%, and info 61% which is presented in the following figure.

Fig. 3 The percentage of the total host vulnerability



B. Exploitation

Scanner INURL

Further searches carried out for to exploit the GET / POST. This is to capture the email & URL. The

results of this exploitation of using INURLBR is not found.

Brute Force

This allows the exploitation of attempted attacks against random passwords. The use of Brutex

committed against port scanning.

SQL Injection

From the results of the exploitation of the multiple subdomains exist on www.pancabudi.ac.id, it found

a loophole that allows us to insert the SQL command as seen in Table 2.

Table 2 Vulnerability result of SQL injection

C. Social Engineering

Social engineering is one of the attack vectors for use in penetration testing. Social engineering focus

is on non-technical aspects by exploiting the trust of its users, namely the human side. Social

engineering techniques using social engineer toolkit (SEToolkit) on the Linux operating system time

with the Metasploit framework. The author uses the technique of spear-phishing attack vectors that

allow it to send an email and send it to the target by attaching the exploited file in Adobe embedded

social engineering file. The method used is Windows Meterpreter Reverse TCP. When a PDF file is

opened, it will execute a reverse shell back to the attacker system. These results are sent to one of the

emails that are known and have not received a response.



V. CONCLUSION

The web application has been developing very fast with the development of programming technologies

and newer database storage. It will be harder for testing if a system has been using the new technology.

Another alternative is to use an automated application in testing. Success in penetration testing

depending on the methodology used. From the discussion, it can be concluded that penetration

testing is done to find a weakness or vulnerability to the web application domain and subdomain on

www.pancabudi.ac.id. This shows that there are still gaps that allow for exploitation by SQL Injection.

Susceptibility results obtained can be a reference to the exploitation of so network administrators can

perform patch or covering the hole of these weaknesses.

REFERENCES

[1] Hariyanto and A. P. U. Siahaan, “Intrusion Detection System in Network Forensic Analysis and Investigation,” IOSR

Journal of Computer Engineering, vol. 11, no. 5, pp. 187-191, 2016.

[2] R. Vibhandik and A. Bose, “Vulnerability Assesment of Web Applications a Testing Approach,” in International

Conference of e-Technologies and Networks for Development, 2015.

[3] R. Dirgahayu, Y. Prayudi and A. Fajaryanto, “Penerapan metode ISSAF and OWASP versi 4 untuk uji kerentanan

web server,” International Journal of Network Security & Its Applications (IJNSA), vol. 1, no. 3, Jurnal Ilmiah NERO.

[4] A. Lubis and A. P. U. Siahaan, “WLAN Penetration Examination of the Universitas Pembangunan Panca Budi,”

International Journal of Engineering Trends and Technology, vol. 37, no. 3, pp. 165-168, 2016.

[5] J. Bozic and F. Wotawa, “PURITY: A Planning-based Security Testing Tool,” in International Conference on

Software Quality, Reliability and Security, 2015.

[6] S. S. Prashant and S. B. Ardhapurkar, “Cyber Security Analysis Using Vulnerability Assessment and Penetration

Testing,” in Futuristic Trends in Research and Innovation for Social Welfare, IEEE, 2016.

[7] B. Stepien, L. Peyton and P. Xion, “Using TTCN-3 as A Modeling Language for Web Penetration Testing,” in

Industrial Technology, 2012.

Security Assessment of Web ApplicationThrough Penetration ... · 1Universitas Pembangunan Panca Budi, 2Universitas Gunadarma 1Jl. Jend. Gatot Subroto Km. 4,5 Sei Sikambing, 20122,

Documents