Analisis Ketahanan Web Application Firewall Terhadap Serangan SQL Injection
Abstract
The ever-advancing technological transformation has brought benefits to our daily lives. Thanks to these technological advances, it is very easy to get access to information, communicate with platforms, and conduct transactions in an increasingly sophisticated digital environment. Web application services are one of the positive impacts of the development of the digital world. However, behind the ease of access offered by web applications, it is often targeted by cyber criminals to obtain sensitive data within it. The application of Web Application Firewall (WAF) as a web application security from SQL injection attacks can be a solution to security issues. This research involves several different WAF solution selections. The results show that the effectiveness of WAF in protecting applications from SQL injection attacks varies depending on the type of attack. From the attacks performed, Naxsi was able to filter out 99% of the attacks and ModSecurity 100%.
References
R. A. Muzaki and A. Background, “Improving Security of Web-Based Application Using ModSecurity and Reverse Proxy in Web Application Firewall,” pp. 85–90, 2020.
OWASP, “OWASP Top Ten,” OWASP Foundation, Inc, 2022. https://owasp.org/www-project-top-ten/ (accessed Nov. 30, 2022).
Kingthorin, “SQL Injection,” OWASP Foundation, Inc, 2023. https://owasp.org/www-community/attacks/SQL_Injection (accessed Jun. 08, 2023).
Andina Librianty. (2018, March 14). Modus Peretasan Hacker Surabaya Pakai SQL Injection, Apa Itu? Liputan6. https://www.liputan6.com/tekno/read/3373117/modus-peretasan-hacker-surabaya-pakai-sql-injection-apa-itu
J. P. Singh, “Analysis of SQL Injection Detection Techniques,” vol. 28, no. 1, pp. 37–55, 2016, doi: 10.20904/281-2037.
A. Librianty, “Modus Peretasan Hacker Surabaya Pakai SQL Injection, Apa Itu?,” Liputan 6, 2018. https://www.liputan6.com/tekno/read/3373117/modus-peretasan-hacker-surabaya-pakai-sql-injection-apa-itu (accessed Jun. 08, 2023).
Al. Hern, “TalkTalk hit with record £400k fine over cyber-attack,” The Guardian, 2016. https://www.theguardian.com/business/2016/oct/05/talktalk-hit-with-record-400k-fine-over-cyber-attack.
M. Akbar, M. Arif, F. Ridha, and A. C. S. Scripting, “SQL Injection and Cross Site Scripting Prevention Using OWASP Web Application Firewall,” Joiv Int. J. Informatics Vis., vol. 2, pp. 286–292, 2018.
“Naxsi,” Github. https://github.com/nbs-system/naxsi (accessed Jun. 09, 2023).
“ModSecurity.” https://github.com/SpiderLabs/ModSecurity (accessed Jun. 09, 2023).
H. Alamsyah, “Penerapan Sistem Keamanan WEB Menggunakan Metode WEB Aplication Firewall,” vol. 11, no. 1, 2021.
K. D. Ayunda et al., “Implementation and Analysis ModSecurity on Web-Based Application with OWASP Standards,” vol. 8, no. 3, 2021.
R. Yanti Jamain, Periyadi, and S. Juli Irzal Ismail, “IMPLEMENTASI KEAMANAN APLIKASI WEB DENGAN WEB APPLICATION FIREWALL,” vol. 1, no. 3, pp. 2191–2195, 2015.
B. I. Mukhtar and M. A. Azer, “Evaluating the Modsecurity Web Application Firewall Against SQL Injection Attacks,” 2020.
M. Chatham, Structured Query Language By Example - Volume I: Data Query Language. Lulu.com, 2012.
H. Zhang, “SQL Injection Attack Principles and Preventive Techniques for PHP Site,” 2018.
F. Q. Kareem, S. Y. Ameen, A. Ahmed, and A. A. Salih, “SQL Injection Attacks Prevention System Technology : Review SQL Injection Attacks Prevention System Technology : Review,” no. July, 2021, doi: 10.9734/AJRCOS/2021/v10i330242.
L. Zhang, D. Zhang, C. Wang, J. Zhao, and Z. Zhang, “ART4SQLi : The ART of SQL Injection,” IEEE Trans. Reliab., vol. PP, pp. 1–20, 2019, doi: 10.1109/TR.2019.2910285.
O. Ojagbule, H. Wimmer, and C. D. Q. Sqli, “Vulnerability Analysis of Content Management Systems to SQL Injection Using SQLMAP,” SoutheastCon 2018, pp. 1–7, 2018.
A. Razzaq, A. Hur, S. Shahbaz, M. Masood, and H. F. Ahmad, “Critical Analysis on Web Application Firewall Solutions,” 2013.
M. H. Amouei, M. Rezvani, and M. Fateh, “RAT : Reinforcement-Learning-Driven and Adaptive Testing for Vulnerability Discovery in Web,” vol. 11, no. 4, pp. 10–20, 2021, doi: 10.1109/TDSC.2021.3095417.
B. Garn, D. S. Lang, M. Leithner, and D. R. Kuhn, “Combinatorially XSSing Web Application Firewalls,” pp. 85–94, 2021, doi: 10.1109/ICSTW52544.2021.00026.
M. F. R. K. Raharjo, “Evaluasi Kinerja Web Server Apache menggunakan Protokol HTTP2,” J. Eng. Technol. Appl. Sci., pp. 19–31, 2020, doi: 10.36079/lamintang.jetas-0201.92.
“Usage statistics of Nginx,” w3tech. https://w3techs.com/technologies/details/ws-nginx (accessed Dec. 06, 2023).
“VirtualBox,” VirtualBox. https://www.virtualbox.org/ (accessed Jun. 12, 2023).
“No Title.” https://github.com/sqlmapproject/sqlmap (accessed Jun. 12, 2023).
[V. K. Gudipati, T. Venna, S. Subburaj, and O. Abuzaghleh, “Advanced Automated SQL Injection Attacks and Defensive Mechanisms,” 2016.
S. Lika, R. Dwi, P. Halim, and I. Verdian, “ANALISA SERANGAN SQL INJEKSI MENGGUNAKAN SQLMAP,” vol. 4, no. 2, pp. 88–94, 2018.
“What is PHP?,” PHP. https://www.php.net/manual/en/intro-whatis.php.
“What is SQL?” https://aws.amazon.com/what-is/sql/ (accessed Jul. 02, 2023).
“Apache” https://httpd.apache.org/docs/ (accessed Aug. 1, 2023).
