Implementasi dan Analisis Attack Tree pada Aplikasi DVWA Berdasar Metrik Time dan Probability

Alfian Rifki Irawan(1*), Adityas Widjajarto(2), Muhammad Fathinuddin(3),

(1) Universitas Telkom, Indonesia
(2) Universitas Telkom, Indonesia
(3) Universitas Telkom, Indonesia
(*) Corresponding Author

Abstract


The formulation of attack trees can be based on the exploitation stages in web-based applications. According to this formulation, this research aims to understand the relationship between attack trees and exploitation characteristics using time and probability metrics. The construction of attack trees is based on experimental platforms using the DVWA web-based application, both in protected and unprotected conditions by a Web Application Firewall (WAF). Exploitation is carried out on five vulnerabilities, namely SQL Injection, XSS (Reflected), Command Injection, CSRF, and Brute Force. The analysis results without a WAF show that the Cross-Site Request Forgery attack tree occupies the top position with a score of 18.19. On the other hand, the Brute Force attack tree ranks last with a score of 230.09. With the presence of a WAF, the Command Injection attack tree takes the first position with a score of 4.80, while the Brute Force attack tree remains in the last position with a score of 43.08. Further research in this study may involve a detailed examination of probability metrics and the calculation of vulnerability factors.

Full Text:

PDF

References


Agung Muzaki, R., Ritchi, H., Candra Briliyant, O., & Andika Hasditama, M. (2020). Improving Security of Web-Based Application Using ModSecurity and Reverse Proxy in Web Application Firewall.

Hertzog, R., O’Gorman, J., & Aharoni, M. (n.d.). Kali Linux revealed : mastering the penetration testing distribution.

Abdoulaye Kindy, D., & Khan Pathan, A.-S. (n.d.). A Detailed Survey on Various Aspects of SQL Injection in Web Applications: Vulnerabilities, Innovative Attacks, and Remedies. In International Journal DRAFT.

Zavarsky Sergey Butakov, P., David Sobola, T., Supervisor Edgar Schmidt, P., Schmidt, E., Dean, Ds., Zavarsky, P., & Butakov, S. (2020). Experimental Study Of Modsecurity Web Application Firewalls Co-Authored By Timilehin David Sobola Experimental Study Of Modsecurity Web Application Firewalls Experimental Study of ModSecurity Web Application Firewalls.

Lika, S., Dwi, R., Halim, P., & Verdian, I. (2018). Positif : Jurnal Sistem dan Teknologi Informasi Analisa Serangan Sql Injeksi Menggunakan SQLMAP Implementation Of Online Accounting Software As Supporting Of Financial Statement. 4(2).

Yogi Kristiawan, O., & Teknologi Bandung Menyetujui Pembimbing, I. (2017). Perancangan Dan Implementasi Rule Based Dictionary Attack Pada Fuzzer Wfuzz Untuk Menguji Kerentanan Aplikasi Web (Program Studi Magister Teknik Elektro).

Mainka, C., Mladenov, V., Guenther, T., & Schwenk, J. (2015). Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite. https://github.com/RUB-NDS/BurpSSOExtension.

Khomh, F., Dhaliwal, T., Zou, Y., & Adams, B. (n.d.). Do Faster Releases Improve Software Quality?-An Empirical Case Study of Mozilla Firefox.

Saputra, A., Armys Roma Sitorus, M., & Negeri Batam Program Studi Teknik Multimedia dan Jaringan Jalan Ahmad Yani, P. (2017). Penilaian Ancaman pada Website Transkrip Aktivitas Kemahasiswaan Politeknik Negeri Batam Menggunakan Metode DREAD. In Jurnal Integrasi (Vol. 9, Issue 1). http://www.tak.polibatam.ac.id.




DOI: http://dx.doi.org/10.30645/j-sakti.v7i2.688

Refbacks

  • There are currently no refbacks.



J-SAKTI (Jurnal Sains Komputer & Informatika)
Published Papers Indexed/Abstracted By:


Jumlah Kunjungan :

View My Stats