Implementasi dan Analisis Attack Tree pada Aplikasi DVWA Berdasar Metrik Time dan Skill Level

Yadi Nugraha(1*), Adityas Widjajarto(2), Muhammad Fathinuddin(3),

(1) Universitas Telkom, Indonesia
(2) Universitas Telkom, Indonesia
(3) Universitas Telkom, Indonesia
(*) Corresponding Author


Attack trees can be formulated based on the steps of exploitation that occur in web applications. The aim of this research is to understand the relationship between attack trees and exploitation characteristics based on time and skill level metrics. The platform for exploitation testing uses DVWA and is organized into an attack tree. The attack tree is structured with both protected and unprotected WAF conditions. The attack tree is organized based on five vulnerabilities: SQL Injection, XSS (Reflected), Command injection, CSRF, and Brute force. The analysis results with the unprotected WAF condition conclude that the XSS (Reflected) attack tree ranks first with a score of 131.92. The SQL Injection attack tree ranks last with a score of 1727.56. Meanwhile, with the WAF, the SQL Injection attack tree ranks first with a score of 54. The Brute force attack tree ranks last with a score of 319.51. Thus, this relationship can be used for ranking attack trees based on time and skill level metrics. Further research can involve detailing the steps of exploitation using CVSS scores as a skill level calculation and measuring parameters using IDS as one of the firewall features.

Full Text:



. Dhiatama Ayunda, K., Widjajarto, A., & Budiono, A., ”Implementation and Analysis ModSecurity on Web-Based Application with OWASP Standards”., Jurnal Teknik Informatika dan Sistem Informasi, Vol.8, No.3, pp. 1638–1650, September 2021.

. Kuipers, L. (2020). Analysis of Attack Trees: fast algorithms for subclasses.

. Odun-Ayo et al., ‘Evaluating Common Reconnaissance Tools and Techniques for Information Gathering’, Journal of Computer Science, vol. 18, no. 2, pp. 103–115, 2022, doi: 10.3844/jcssp.2022.103.115.

. D. Bhatt, ‘Modern Day Penetration Testing Distribution Open Source Platform-Kali Linux-Study Paper’, International Journal Of Scientific & Technology Research, vol. 7, 2018, [Online]. Available:

. S. Tyagi and K. Kumar, ‘Evaluation of static web vulnerability analysis tools’, in PDGC 2018 - 2018 5th International Conference on Parallel, Distributed and Grid Computing, Institute of Electrical and Electronics Engineers Inc., Dec. 2018, pp. 1–6. doi: 10.1109/PDGC.2018.8745996.

. Zavarsky Sergey Butakov, P., David Sobola, T., Supervisor Edgar Schmidt, P., Schmidt, E., Dean, Ds., Zavarsky, P., & Butakov, S. (2020). “Experimental Study Of Modsecurity Web Application Firewalls”.

. S. Lika, R. D. P. Halim, and I. Verdian, ‘Analisa Serangan Sql Injeksi Menggunakan Sqlmap’, POSITIF : Jurnal Sistem dan Teknologi Informasi, vol. 4, no. 2, p. 88, Nov. 2018, doi: 10.31961/positif.v4i2.610.

. Yogi Kristiawan, O., & Teknologi Bandung Menyetujui Pembimbing, I. (2017). Perancangan Dan Implementasi Rule Based Dictionary Attack Pada Fuzzer Wfuzz Untuk Menguji Kerentanan Aplikasi Web (Program Studi Magister Teknik Elektro).

. E. Z. Darojat, E. Sediyono, and I. Sembiring, ‘Vulnerability Assessment Website E-Government dengan NIST SP 800-115 dan OWASP Menggunakan Web Vulnerability Scanner’, JURNAL SISTEM INFORMASI BISNIS, vol. 12, no. 1, pp. 36–44, Sep. 2022, doi: 10.21456/vol12iss1pp36-44.



  • There are currently no refbacks.

J-SAKTI (Jurnal Sains Komputer & Informatika)
Published Papers Indexed/Abstracted By:

Jumlah Kunjungan :

View My Stats