Electronic Theses and Dissertation

Situs web Universitas Islam Negeri (UIN) Ar-Raniry merupakan media informasi bagi mahasiswa, dosen dan staf di lingkungan UIN Ar-Raniry. Namun, pada saat ini media informasi menjadi wadah bagi pelaku cybercrime dalam mencuri data pribadi seseorang, jika tidak dilakukan pemeriksaan keamanan situs web tersebut. Dari informasi yang dikumpulkan tidak terdapat laporan yang menjelaskan situs web UIN Ar-Raniry pernah diuji keamanannya. Untuk itu, penelitian ini bertujuan menguji situs web UIN Ar-Raniry menggunakan serangan Structure Query Language (SQL) Injection dan Cross Site Scripting (XSS) dan melaporkan kerentanan yang ditemukan. Untuk menguji keamanan situs web UIN Ar-Raniry menggunakan metode Penetration Testing / pentest menggunakan serangan SQL injection dan XSS. Adapun tahapan penelitian ini diawali dengan planning, study literature, pre-attack phase, kemudian attack phase dan terakhir post attack phase. Pada proses pre-attack phase menggunakan tool the Harvester, Nessus, Qualys dan fase attack menggunakan Burp Suite. Berdasarkan hasil pemindaian kerentanan pada fase pre-attack terdapat 6 jenis kerentanan, di antaranya 1 critical, 3 high dan 2 medium dengan jenis kerentanan SQL dan XSS. Berdasarkan hasil pengujian pada fase attack terhadap kerentanan SQL di aplikasi phpMyAdmin, tidak berhasil membobol form login atau menemukan pesan kesalahan pada databases dan pada kerentanan XSS juga tidak berhasil mem-bypass filter karakter pada field pencarian dikarenakan kemungkinan terdapat Web Application Firewall (WAF) yang tidak dapat di bypass oleh payload di penelitian ini. Namun, kerentanan XSS berhasil ditemukan pada situs web Prodi arsitektur.ar-raniry.ac.id dengan jenis celah XSS reflected.

Kata kunci: Situs web, UIN Ar-Raniry, Keamanan, SQL injection, XSS, Pentest,
Kerentanan, celah

Ar-Raniry State Islamic University (UIN) website is an information media for students, lecturers and staff at UIN Ar-Raniry. However, at this time the information media becomes a place for cybercrime perpetrators to steal someone's personal data, if no security checks are carried out on the website. From the information collected, there is no report that explains the UIN Ar-Raniry website has been tested for security. Therefore, this research aims to test the UIN Ar-Raniry website using Structure Query Language (SQL) Injection and Cross Site Scripting (XSS) attacks and report the vulnerabilities found. To test the security of the UIN Ar-Raniry website using the Penetration Testing / pentest method using SQL injection and XSS attacks. The stages of this research begin with planning, literature study, pre-attack phase, then attack phase and finally post attack phase. In the pre-attack phase process using the Harvester, Nessus, Qualys tools and the attack phase using Burp Suite. Based on the results of vulnerability scanning in the pre-attack phase, there are 6 types of vulnerabilities, including 1 critical, 3 high and 2 medium with SQL and XSS vulnerabilities. Based on the results of testing in the attack phase against SQL vulnerabilities in the phpMyAdmin application, it did not succeed in breaking into the login form or finding error messages in databases and the XSS vulnerability also did not succeed in bypassing the character filter in the search field because there may be a Web Application Firewall (WAF) that cannot be bypassed by the payload in this study. However, the XSS vulnerability was successfully found on the Prodi architecture.ar-raniry.ac.id website with the XSS reflected vulnerability type. Keywords: Website, UIN Ar-Raniry, Security, SQL injection, XSS, Pentest, Vulnerabilities, loopholes