ON INFORMATICS

— A web application is a very important requirement in the information and digitalization era. With the increasing use of the internet and the growing number of web applications, every web application requires an adequate security level to store information safely and avoid cyber attacks. Web applications go through rapid development phases with short turnaround times, challenging to eliminate vulnerabilities. The vulnerability on the web application can be analyzed using the penetration testing method. This research uses penetration testing with the black-box method to test web application security based on the list of most attacks on the Open Web Application Security Project (OWASP), namely SQL Injection. SQL injection allows attackers to obtain unrestricted access to the databases and potentially collecting sensitive information from databases. This research randomly tested several websites such as government, schools, and other commercial websites with several techniques of SQL injection attack. Testing was carried out on ten websites randomly by looking for gaps to test security using the SQL injection attack. The results of testing conducted 80% of the websites tested have a weakness against SQL injection attacks. Based on this research, SQL injection is still the most prevalent threat for web applications. Further research can explain detailed information about SQL injection with specific techniques and how to prevent this attack.


I. INTRODUCTION
The development of information technology has an important role in people's lives, making information security an important factor [1]. Security vulnerabilities may breach data integrity in web applications, steal confidential data, or affect web application availability. Thus the job of securing web applications is one of the most crucial [2]. Penetration testing is needed to test application security. At the penetration testing stage, identification is carried out to look for gaps and fill them in. The attack is carried out to test a web application's security to generate recommendations to reduce the risk. Penetration testing is typically a human-driven procedure that requires deep knowledge of the possible attacks to carry out and the hacking tools that can be used to launch the tests [3].
SQL injection is an attack that is most often used to attack a web application. In carrying out this attack, the attacker uses SQL commands via input variables contained in the web application. [4]. it compromises the main security services: confidentiality, authentication, authorization, and integrity [5].
A primary security concern is posed by a SQL injection attack in Web applications backed by a database [6], [7]. The vulnerability to SQL injection is very big, and this is a huge threat to the web-based application as hackers can easily hack their system and obtain any data and information As stated in the Akamai report1, SQLi attacks constituted 65.1% of Web applications' cyber-attacks from November 2017 to March 2019. It also shows that the number of different Web attacks (e.g., XSS, LFI, and PHPi) has ever increased, but none of them have been growing as fast as SQLi attacks [8]. In this study, we tested several websites randomly and analyzed the web application's security vulnerability, including using a SQL injection attack. This paper contributes to a penetration method study and SQL injection impact for various web applications.

A. Penetration Testing
Penetration testing is a technique used to gain access to the system. The purpose of penetration testing is to secure the system. It must be done legally by asking permission from the application owner for testing purposes. Penetration testing is a useful measurement tool for finding weaknesses in the system and showing how vulnerable the system is when attacked [9]. It is effective in helping to deal with security issues on the network.
Penetration Testing helps assess web application security arrangements' effectiveness and ineffectiveness to stay protected against cyber threats. The projected work helps develop a versatile method that can find vulnerabilities in internet applications [10]. However, major penetration test areas have been discussed as under [11]

B. Penetration Testing steps
There are different steps or ways in penetration testing. From this problem appears a website. The Penetration Testing Execution Standard (PTES) provides information about standards in penetration testing and the tools on Kali Linux in accordance with PTES standards. PTES is divided into seven categories covering all matters related to penetration testing. It starts from the collection of information to the exploitation process on the system. these stages are shown in figure 1 [12].

1) Pre-engagement Interactions:
This is the first stage in penetration testing. At this stage, a penetration tester discusses the client regarding penetration testing's scope and objectives. It has to explain what activities will be carried out from the start to making the pen test report in as much detail as possible.
2) Intelligence Gathering: Intelligence Gathering is a stage where important information is collected from the target, which will later be used during the pen test process. During this process, a pen tester tries to identify the protection mechanisms on the target by slowly and carefully investigating the system.

3) Threat Modeling:
Threat Modeling uses the information obtained from the Intelligence Gathering, which is used to determine which method of attack is the most effective. The results of this modeling will later determine how a system can be attacked.

4) Vulnerability Analysis:
During the Vulnerability Analysis stage, they combined the information obtained from the previous stages and understood it to know what attacks are worth using.

5) Exploitation:
Exploitation is the stage that determines whether a system can be attacked. This stage is often carried out with attacks that disrupt the system. In the exploitation process, one must understand what system should be attacked and understand that the system has vulnerabilities.

6) Post Exploitation:
The purpose of this stage is to get more information about the system that was successfully exploited. From these results, we can find a way to gain access to the internal.

7) Reporting:
Reporting is the last stage in conducting Penetration Testing. At this stage, a report will be generated for all activities that have been carried out during Penetration Testing. The result obtained from the penetration testing depends on the skillset of security professionals. Identification and exploitation of software and configuration flaws also require understanding system functionality, access control, and data flow [13].

C. OWASP
The Open Web Application Security Project (OWASP) is a non-profit organization founded in 2001 to help website owners and security experts protect web applications from cyber-attacks. OWASP has 32,000 volunteers around the world who perform security assessments and research. There is the top 10 vulnerabilities on OWASP [14]:

D. SQL Injection
SQL injection is an assault method with negated SQL articulations used to abuse how site pages speak with backend databases. It can take a shot at defenseless website pages that adventure a backend database like MySQL, Oracle, and MSSQL [15]. The Structured Query Language Injection (SQLI) attack is considered the most dangerous injection category attack because it compromises the main security services: confidentiality, authentication, authorization, and integrity [16]. Roughly speaking, SQLI attack consists of injecting (inserting) malicious SQL commands into input forms or queries to get access to a database or manipulate its data (e.g., send the database contents to the attacker, modify or delete the database content, etc.) [17].
Traditional SQL injection detection methods can be divided into static analysis, dynamic analysis, and parameter filtering [18]. SQLI attack occurs when the user's data is used to construct dynamic SQL queries with insufficient validation. This injection can result in data loss or corruption, lack of accountability, or denial of access. SQLI attack can sometimes lead to a complete host takeover [19]. The statements like or true 1=1, or true# are used for doing SQL injection. These statements are directly stored on the database connection, SQL statements, and make these statements vulnerable [20].

A. Scope of Project
This research analyzes and selecting randomly ten samples of the web application to determine weaknesses using the SQL Injection attack. The list of web samples can be seen in Table I.

B. Information Gathering
The first step in penetration testing is information gathering. Information gathering is needed to find out the information on a server and services by using port scanning.     Tcp  open  ssh  25  Tcp  filtered  smtp  80  Tcp  open  http  111  Tcp  open  rpcbind  139  Tcp  filtered  netbios-ssn  443  Tcp  open  http  445  Tcp  filtered  microsoft-ds  2049  Tcp  open  nfs_acl  3389 Tcp filtered ms-wbt-server       -auth  1720  tcp  filtered  h323q931  2382  tcp  open  ms-olap3  2968  tcp  open  enpp  3306  tcp  open  mysql  3389  tcp  open  ms-wbt-server  5357  tcp  open  http  8080  tcp  open  http  49152  tcp  open  msrpc  49153  tcp  open  msrpc  49154  tcp  open  msrpc  49155  tcp  open  msrpc  49156  tcp  open  49158  tcp  open  msrpc  49160  tcp  open  msrpc  49163  tcp  open  msrpc Based on the scanning result, most the servers have more than 10 (ten) open ports. It shows that 60% of servers are more vulnerable.  A  3  2  Website B  2  3  Website C  12  4  Website D  5  5  Website E  19  6 Website F 10 7 Website G 13 8 Website H 3 9 Website I 10 10 Website J 23

C. Penetration Testing Process
This process tests several open ports on each server and implements security testing in each web application.

1) Penetration Testing on Website A: This server has
several open ports, one of a port is the ssh port. In this SSH port, user and password are found using the brute force technique using tools such as Metasploit and Hydra. The result of this exploitation is many default users are used by the system, as shown in figure 2.     . Some vulnerability found on NFS service that attackers can gain access to the files system. After the testing, the server has filtering to block unauthorized users from accessing the files. The result of testing is shown in figure 8. On server D, testing is carried out on the web application running using SQL injection attack. The results of these tests did not find any security holes by performing SQL injection attacks.

5) Penetration Testing on Website E:
After performing penetration testing on Server E, this test found that website A had a weakness against SQL Injection. The test results show that penetration tester can access the server database, as shown in figure 9.

7) Penetration Testing on Website G:
The scanning result has shown Server F has a few ports opened. After penetration testing, no vulnerabilities were found that could be exploited. However, in web application found the vulnerability that can access website database using SQL Injection Attacks.

10) Penetration Testing on Website J:
The scanning result has shown Server F has a few ports opened. One of them is port 3389. In port 3389 found the vulnerability it refers to CVE-2019-0708. This CVE explains that someone can execute a code and can shut down the server. In this test, the penetration tester can make the server down. the results are shown in figure 14. Testing SQL injection attacks on Website J it is failed because it already has sufficient security to avoid SQL Injection attacks. Based on the website's vulnerability testing results from SQL injection attacks, it can be seen that of the ten tested websites, eight websites are vulnerable to SQL injection attacks, and two websites have security to avoid SQL injection attacks.

IV. CONCLUSIONS
SQL injection attack is a still dangerous threat for web applications. Attackers can access confidential information such as databases through weaknesses in web applications. This allows the attacker to retrieve information directly from the database. In this study, 80% of the websites that were tested in a standard manner still had a weakness against SQL injection attacks.