DAFTAR ISI. LEMBAR PENGESAHAN PEMBIMBING... iii. LEMBAR PENGESAHAN PENGUJI... iv. LEMBAR PERNYATAAN KEASLIAN... v. HALAMAN PERSEMBAHAN

DAFTAR ISI

LEMBAR PENGESAHAN PEMBIMBING ......................................................... iii LEMBAR PENGESAHAN PENGUJI .................................................................. iv LEMBAR PERNYATAAN KEASLIAN ............................................................... v HALAMAN PERSEMBAHAN ............................................................................ vi HALAMAN MOTTO ........................................................................................... vii KATA PENGANTAR ......................................................................................... viii TAKARIR ............................................................................................................... x ABSTRAK ............................................................................................................. xi DAFTAR ISI ......................................................................................................... xii DAFTAR GAMBAR ........................................................................................... xvi DAFTAR TABEL ................................................................................................ xix BAB I ...................................................................................................................... 1 PENDAHULUAN .................................................................................................. 1 1.1

Latar Belakang ......................................................................................... 1

1.2

Rumusan Masalah .................................................................................... 2

1.3

Tujuan....................................................................................................... 2

1.4

Manfaat ..................................................................................................... 3

1.5

Batasan Masalah ....................................................................................... 3

1.6

Metodologi Penelitian .............................................................................. 3

1.6.1

Studi Pustaka ..................................................................................... 3

1.6.2

Penetration testing pada Sistem Informasi Manajemen Skripsi

Online (SIMSOn). ........................................................................................... 4 1.6.3

Membuat Laporan Celah Keamanan ................................................ 4

xii

BAB II ..................................................................................................................... 5 LANDASAN TEORI .............................................................................................. 5 2.1

Tinjauan pustaka ...................................................................................... 5

2.2

Teori Dasar ............................................................................................... 5

2.2.1

Sistem Informasi Manajemen Skripsi Online (SIMSOn) ................. 5

2.2.2

Keamanan Sistem Informasi ............................................................. 6

2.2.2.1

Aspek Keamanan Sistem Informasi........................................... 6

2.2.2.2

Serangan Keamanan Sistem Informasi ...................................... 7

2.2.2.3

Sebab Serangan Keamanan Sistem Informasi ........................... 8

2.2.3

Open Web Application Security Project (OWASP) .......................... 9

2.2.3.1

Pengertian OWASP ................................................................... 9

2.2.3.2

OWASP Top 10 ......................................................................... 9

2.2.4

Penetration Testing ......................................................................... 12

BAB III ................................................................................................................. 14 METODOLOGI PENELITIAN ............................................................................ 14 3.1

Alur Penelitian........................................................................................ 14

3.2

Metode Penelitian ................................................................................... 16

3.2.1

Information Gathering .................................................................... 16

3.2.2

Vulnerability Scaning...................................................................... 16

3.2.2.1

Injection ................................................................................... 16

3.2.2.2

Broken Authentication and Session Management ................... 17

3.2.2.3

Cross-Site Scripting (XSS) ....................................................... 18

3.2.2.4

Insecure Direct Object References .......................................... 18

3.2.2.5

Security Misconfiguration ....................................................... 19

3.2.2.6

Sensitive Data Exposure .......................................................... 19

xiii

3.2.2.7

Missing Function Level Access Control .................................. 20

3.2.2.8

Cross-Site Request Forgery (CSRF) ........................................ 20

3.2.2.9

Using Components with Known Vulnerabilities ...................... 21

3.2.2.10

Unvalidated Redirects and Forwards...................................... 21

3.2.3

Penetration testing .......................................................................... 21

3.2.3.1

Gaining Access ........................................................................ 22

3.2.3.2

Escalate Privilege .................................................................... 22

3.2.3.3

Maintain Access ....................................................................... 22

3.2.4

Analisa dan pelaporan hasil proses penetration testing .................. 22

3.2.5

Tabel Analisis Celah Keamanan ..................................................... 22

BAB IV ................................................................................................................. 24 IMPLEMENTASI HASIL DAN ANALISIS ....................................................... 24 4.1

Implementasi Proses Information Gathering ......................................... 24

4.1.1

Zenmap ........................................................................................... 24

4.1.2

BurpSuite ........................................................................................ 26

4.1.3

Nikto ............................................................................................... 28

4.2

Injection .................................................................................................. 29

4.3

Broken Authentication and Session Management .................................. 43

4.4

Cross-Site Scripting (XSS) ..................................................................... 47

4.5

Insecure Direct Object References ......................................................... 50

4.6

Security Misconfiguration ...................................................................... 52

4.7

Sensitive Data Exposure ......................................................................... 52

4.8

Missing Function Level Access Control ................................................. 57

4.9

Cross-Site Request Forgery (CSRF) ...................................................... 58

4.10

Using Components with Known Vulnerabilities ................................. 60

xiv

4.11

Unvalidated Redirects and Forwards................................................. 63

4.12

Laporan hasil penetration testing ....................................................... 64

4.12.1

Analisa Hasil Proses Penetration Testing ....................................... 66

4.12.2

Rekomendasi ................................................................................... 67

BAB V .................................................................................................................. 69 KESIMPULAN DAN SARAN............................................................................. 69 5.1

Kesimpulan............................................................................................. 69

5.2

Saran ....................................................................................................... 69

DAFTAR PUSTAKA ........................................................................................... 70 LAMPIRAN .......................................................................................................... 71

xv

DAFTAR GAMBAR Gambar 2. 1 Tiga Aspek Keamanan ....................................................................... 6 Gambar 2. 2 Jenis serangan pada keamanan sistem informasi ............................... 8 Gambar 2. 3 Perbedaan black box, grey box dan white box ................................ 13 Gambar 3. 1 Alur Penelitian ................................................................................. 14 Gambar 4. 1 Informasi port dengan Zenmap ........................................................ 25 Gambar 4. 2 Informasi tentang Sistem Operasi .................................................... 26 Gambar 4. 3 Setting proxy yang sama pada browser dan BurpSuite .................... 27 Gambar 4. 4 Directory Listing pada website target .............................................. 28 Gambar 4. 5 Informasi tentang versi service yang telah kedaluwarsa .................. 29 Gambar 4. 6 Interface aplikasi Havij .................................................................... 30 Gambar 4. 7 URL website dengan parameter id ................................................... 30 Gambar 4. 8 Error query sql pada website target ................................................. 31 Gambar 4. 9 Memasukan URL target pada Havij ................................................. 31 Gambar 4. 10 Database website target ditemukan ............................................... 32 Gambar 4. 11 Proses "Get Table" pada database yang telah ditemukan. ............. 33 Gambar 4. 12 Proses "Get Colums" pada database .............................................. 34 Gambar 4. 13 Mengambil data yang ada pada kolom tabel admin ....................... 35 Gambar 4. 14 Dekripsi password dengan menggunakan Havij ............................ 35 Gambar 4. 15 Login pada website target............................................................... 36 Gambar 4. 16 Halaman manajemen_berita.php .................................................... 37 Gambar 4. 17 form upload file pada halaman berita_edit.php .............................. 37 Gambar 4. 18 Upload file backdoor pada website target ...................................... 38 Gambar 4. 19 File backdoor berhasil disimpan ke server .................................... 38 Gambar 4. 20 Direktori file backdoor disimpan ................................................... 39 Gambar 4. 21 File backdoor dapat diakses ........................................................... 39 Gambar 4. 22 Konfigurasi database website target .............................................. 40 Gambar 4. 23 Melakukan koneksi ke database .................................................... 41 Gambar 4. 24 Database website target ................................................................. 41 Gambar 4. 25 Waktu berita setelah upload backdoor ........................................... 42

xvi

Gambar 4. 26 Waktu diubah kembali ke sebelum backdoor diupload ................. 42 Gambar 4. 27 Memilih network interface Ettercap .............................................. 43 Gambar 4. 28 Scan host Ettercap .......................................................................... 44 Gambar 4. 29 Daftar host yang ada pada jaringan ................................................ 44 Gambar 4. 30 Proses memilih target ..................................................................... 45 Gambar 4. 31 ARP poisoning pada target ............................................................. 45 Gambar 4. 32 Pemilihan Sniff remote connection ............................................... 46 Gambar 4. 33 Memulai Sniffing ............................................................................ 46 Gambar 4. 34 PHPSESSID target dapat dilihat pada Wireshark .......................... 47 Gambar 4. 35 XSS pada form pencarian skripsi. .................................................. 47 Gambar 4. 36 Hasil XSS pada form pencarian skripsi.......................................... 48 Gambar 4. 37 XSS pada form alamat di halaman edit profil. ............................... 49 Gambar 4. 38 Celah XSS ditemukan pada form alamat. ...................................... 49 Gambar 4. 39 Direktori foto mahasiswa lain. ....................................................... 50 Gambar 4. 40 Halaman profil dosen ..................................................................... 51 Gambar 4. 41 Halaman profil dosen lain. ............................................................. 51 Gambar 4. 42 Halaman profil mahasiswa ............................................................. 52 Gambar 4. 43 Menu Sniff ...................................................................................... 53 Gambar 4. 44 Pemilihan network interface. ......................................................... 53 Gambar 4. 45 Menu scan host .............................................................................. 54 Gambar 4. 46 Daftar host yag ada pada jaringan .................................................. 54 Gambar 4. 47 Memilih target sniffing ................................................................... 55 Gambar 4. 48 ARP Poisoning ............................................................................... 55 Gambar 4. 49 Pilihan ARP poisoning ................................................................... 56 Gambar 4. 50 Memulai sinffing ............................................................................ 56 Gambar 4. 51 Username dan password alamat IP target terlihat.......................... 57 Gambar 4. 52 Profil mahasiswa lain ..................................................................... 58 Gambar 4. 53 Halaman pengisian bab skripsi....................................................... 59 Gambar 4. 54 ID skripsi pada saat penyimpanan bab skripsi ............................... 59 Gambar 4. 55 Mengganti ID skripsi...................................................................... 60 Gambar 4. 56 Error pada proses penyimpanan bab skripsi .................................. 60

xvii

Gambar 4. 57 Direktori /lib ditemukan ................................................................. 61 Gambar 4. 58 Halaman ajaxfilemanager.php........................................................ 61 Gambar 4. 59 Hasil upload pada halaman ajaxfilemanager.php .......................... 62 Gambar 4. 60 Peringatan ketika upload file PHP ................................................. 62 Gambar 4. 61 Script yang dimasukan pada profil mahasiswa .............................. 63

xviii

DAFTAR TABEL Tabel 3. 1 Tabel daftar celah keamanan ............................................................... 23 Tabel 4. 1 Tabel hasil penetration testing OWASP Top 10 .................................. 64

xix

DAFTAR ISI. LEMBAR PENGESAHAN PEMBIMBING... iii. LEMBAR PENGESAHAN PENGUJI... iv. LEMBAR PERNYATAAN KEASLIAN... v. HALAMAN PERSEMBAHAN

Recommend Documents