Penerapan Framework OWASP dan Network Forensics untuk Analisis, Deteksi, dan Pencegahan Serangan Injeksi di Sisi Host-Based

Ade Kurniawan

doi:10.61769/telematika.v14i1.267

Authors

Ade Kurniawan Universitas Universal

DOI:

https://doi.org/10.61769/telematika.v14i1.267

Keywords:

Network forensics, live forensics, Cross-Site Scripting, OWASP, xenotix

Abstract

The Internet has changed the world. The penetration of internet users in 1995 is only 1 percent of the world population, while in 2018, the figure reached 70 percent or 4.5 billion users. Simultaneously, it was reported that eight of the top ten web sites in the world were at a critical point of vulnerability to attacks by injection methods, such as Cross-Site Scripting (XSS) and Structured Query Language Injection (SQLi). Furthermore, XSS and SQLi attacks can be used by certain parties to steal information or specific purposes. In this paper, we research by conducting attack simulations, analyzing packet data, and finally conducting prevention at host-based. Initial simulations of attacks using social engineering attack techniques by sending a phishing email. At this stage of attack simulation, the attack includes information gathering, webcam screenshots, keyloggers, and spoofers. Furthermore, at the stage of analysis, we do with the approach of network forensics with evidence collection techniques using live forensics acquisition. The final stage is prevent (patching) by creating an application or add-on on the browser side by name, XSSFilterAde. This research contribution offers a broad and in-depth study of how to do a simulation, analysis, and finally prevent. Furthermore, the method of protecting the user or host- based solution in the browser application functions to filter, disable plugins, notify, block, and reduce injection attacks.

Internet telah mengubah dunia. Internet telah mengubah wajah dunia. Penetrasi pengguna internet di tahun 1995 hanya 1 persen dari populasi dunia, sedangkan di tahun 2018 angkanya telah mencapai 60 persen atau 4,5 miliar pengguna. Secara bersamaan, dilaporkan delapan dari sepuluh situs web teratas di dunia berada pada titik kritis kerentanan terhadap serangan dengan metode injeksi, seperti: Cross-Site Scripting (XSS) dan Structured Query Language Injection (SQLi). Selanjutnya, serangan XSS dan SQLi dapat digunakan oleh pihak tertentu untuk mencuri informasi atau untuk tujuan tertentu. Dalam makalah ini, penelitian dilakukan dengan
mensimulasikan serangan, analisis paket data, dan terakhir melakukan pencegahan di host-based atau di sisi pengguna. Simulasi awal serangan menggunakan social engineering attack dengan cara mengirim sebuah phishing email. Pada tahapan simulasi serangan ini, serangan meliputi pengumpulan informasi, screenshot webcam, keyloggers, dan spoofer. Selanjutnya, di tahapan analisis, kami melakukan pendekatan network forensics dengan teknik pengambilan barang bukti menggunakan metode live forensics acquisition. Tahapan terakhir adalah mencegah (menambal) dengan membuat sebuah aplikasi atau add-on di sisi browser dengan nama XSSFilterAde. Kontribusi penelitian ini menawarkan sebuah studi secara luas dan mendalam tentang bagaimana melakukan sebuah simulasi,
analisis, dan, terahir, melakukan pencegahan (prevent). Lebih jauh, metode solusi perlindungan kepada pengguna atau host-based dalam aplikasi browser berfungsi untuk memfilter, menonaktifkan plugin, memberi tahu, memblokir, dan mengurangi serangan injeksi.

References

J. Williams, J. Manico, dan N. Mattatall, "XSS (Cross Site Scripting) Prevention Cheat Sheet," OWASP, 2018.

Microsoft, "Microsoft Security Intelligence Report," vol. 21, hlm. 7–8, 2016.

Symantec, "015 Internet Security Threat Report," Internet Secur. Threat Rep., vol. 20, no. April, hlm. 119, 2017.

J. Fonseca, N. Seixas, M. Vieira, dan H. Madeira, "Analysis of field data on web security vulnerabilities," IEEE Trans. Dependable Secur. Comput., vol. 11, no. 2, hlm. 89–100, 2014.

OWASP, "OWASP Top 10-2017 - The Ten Most Critical Web

Application Security Risks," OWASP, 2017.

The OWASP Foundation, "OWASP API Security Top 10-2019 - The Ten Most Critical API Security Risks," hlm. 1–31, 2019.

M. Parvez, P. Zavarsky, dan N. Khoury, "Analysis of effectiveness of black-box web application scanners in detection of stored SQL injection and stored XSS

vulnerabilities," in 10th Int. Conf. Internet Technol. Secur. Trans. ICITST 2015, hlm. 186–191, 2016.

G. Dong, Y. Zhang, X. Wang, P. Wang, dan L. Liu, "Detecting

cross site scripting vulnerabilities introduced by HTML5," in 2014 - 11th Int. Jt. Conf. Comput. Sci. Softw. Eng. "Human Factors Comput. Sci. Softw. Eng. - e-Science High Perform. Comput. eHPC, JCSSE 2014, hlm. 319–323, 2014.

B. Appiah, E. Opoku-Mensah, and Z. Qin, "SQL injection

attack detection using fingerprints and pattern matching

technique," Proceedings of the IEEE International Conference on Software Engineering and Service Sciences, ICSESS, 2018.

OWASP, "4.0 Testing Guide," OWASP Found., 2014.

A. Abraham, "Detecting and Exploiting XSS With OWASP Xenotix XSS Exploit Framework v3," 2013.

R. Vibhandik, "Vulnerability assessment of web applications –

a testing approach," Proc. IEEE 2015 Forth International

Conference on e-Technologies and Networks for Development (ICeND), hlm. 1–6, Sept. 21-23, 2015.

R. C. Joshi dan E. S. Pilli, Fundamentals of Network Forensics. London: Springer London, 2016.

M. N. Al-Azhar, Digital Forensic: A Practical Guide Computer Investigation. Salemba: Infotek, hlm. 236, 2012.

A. Kurniawan dan I. Riadi, "Detection and analysis cerber

ransomware using network forensics behavior based," Int. J. Netw. Secur., vol. 20, no. 5, hlm. 1–8, 2018.

J. He, C. Chang, P. He, dan M. S. Pathan, "Network Forensics Method Based on Evidence Graph and Vulnerability Reasoning," 2016.

P. A. Sonewar dan N. A. Mhetre, "A novel approach for detection of SQL injection and cross site scripting attacks,"

Pervasive Comput. (ICPC), 2015 Int. Conf., vol. 00, hlm. 1–4,

S. Fogie, J. Grossman, R. Hansen, A. Rager, dan P. D. Petkov, XSS Attacks: Cross Site Scripting Exploits and Defense. 2007.

A. Shrivastava, S. Choudhary, dan A. Kumar, "XSS vulnerability assessment and prevention in web application," Proceedings on 2016 - 2nd International Conference on Next Generation Computing Technologies, NGCT 2016, 2017.

W. Melicher, A. Das, M. Sharif, L. Bauer, dan L. Jia, "Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting," 2018.

R. Rahim, H. Nurdiyanto, A. Ansari Saleh, D. Abdullah, D. Hartama, dan D. Napitupulu, "Keylogger application to monitoring users activity with exact string matching algorithm," Journal of Physics: Conference Series, 2018.

D. P. Shepard dan T. E. Humphreys, "Characterization of receiver response to spoofing attacks," in 24th Int. Tech. Meet. Satell. Div. Inst. Navig. 2011, ION GNSS 2011, 2011.

B. Wikipedians dan R. Creutzburg, "Handbook of Computer Security and Digital Forensics 2016 Part I – Computer Security," April, 2016.

L. Wu, X. Du, dan J. Wu, "Effective defense schemes for phishing attacks on mobile computing platforms," IEEE Trans. Veh. Technol., vol. 65, no. 8, hlm. 6678–6691, 2016.

M. Mulazzani, M. Huber, dan E. Weippl, "Social Network Forensics: Tapping the Data Pool of Social Networks," Eighth Annu. IFIP WG 11.9 Int. Conf. Digit. Forensics, 2012.

E. Casey, Digital Evidence and Computer Crime, Third Ed. Maryland: Elsevier Academic Press, 2011.