Website Penetration Analysis Against XSS Attacks using Payload Method
Abstract
This research aims to analyze the effectiveness of various penetration testing methods in identifying and mitigating XSS (Cross-Site Scripting) vulnerabilities in web applications. XSS is a type of web security attack that takes advantage of weaknesses in web applications to insert malicious code into web pages displayed to users. This attack can steal user data, take over user sessions, or spread malware. This research uses a penetration testing method with a black-box approach, where the researcher does not know the construction of the system being tested. Tests were conducted on 10 random websites, including 5 open-source websites and 5 commercial websites. The test results show that the payload method used is effective in exploiting XSS vulnerabilities on some websites. Of the 10 websites tested, 6 of them were successfully exploited using different payload methods. This research highlights the importance of using open-source penetration testing tools in detecting and addressing security vulnerabilities in web applications. These tools are easy to implement, supported by extensive documentation, and have a strong community. This research also emphasizes the importance of a deep understanding of how penetration testing tools work to identify and address security vulnerabilities. To address XSS vulnerabilities, this research recommends good programming techniques such as programming language updates, use of OOP (Object-Oriented Programming), MVC (Model-View-Controller) concepts, and use of frameworks. Further research can be done to develop and test new payload methods, explore the use of other penetration testing tools, and test security vulnerabilities in other types of web applications.
References
G. E. Rodríguez, J. G. Torres, P. Flores, and D. E. Benavides, “Cross-site scripting (XSS) attacks and mitigation: A survey,” Comput. Netw., vol. 166, p. 106960, Jan. 2020, doi: 10.1016/j.comnet.2019.106960.
V. S. Stency and N. Mohanasundaram, “A Study on XSS Attacks: Intelligent Detection Methods,” J. Phys. Conf. Ser., vol. 1767, no. 1, p. 012047, Feb. 2021, doi: 10.1088/1742-6596/1767/1/012047.
S. Kumar, S. Pathak, and J. Singh, “An enhanced digital forensic investigation framework for XSS attack,” J. Discrete Math. Sci. Cryptogr., vol. 25, no. 4, pp. 1009–1018, May 2022, doi: 10.1080/09720529.2022.2072424.
“The Invicti AppSec Indicator Spring 2021 Edition: Acunetix Web Vulnerability Report,” Acunetix. Accessed: Nov. 21, 2023. [Online]. Available: https://www.acunetix.com/white-papers/acunetix-web-application-vulnerability-report-2021/
S. Rawat, T. Bhatia, and E. Chopra, “Web Application Vulnerability Exploitation using Penetration Testing scripts,” Int. J. Sci. Res., vol. 6, no. 1, 2020.
E. Chatzoglou, G. Kambourakis, and C. Kolias, “Your WAP Is at Risk: A Vulnerability Analysis on Wireless Access Point Web-Based Management Interfaces,” Secur. Commun. Netw., vol. 2022, pp. 1–24, Feb. 2022, doi: 10.1155/2022/1833062.
F. Prasetyo, U. R. Jannah, and M. U. Mansyur, “PENGGUNAAN STB SEBAGAI MEDIA E-LEARNING BERBASIS MOODLE,” vol. 23, no. 01, 2023.
M. Hasibuan and A. M. Elhanafi, “Penetration Testing Sistem Jaringan Komputer Menggunakan Kali Linux untuk Mengetahui Kerentanan Keamanan Server dengan Metode Black Box: Studi Kasus Web Server Diva Karaoke.co.id,” Sudo J. Tek. Inform., vol. 1, no. 4, pp. 171–177, Dec. 2022, doi: 10.56211/sudo.v1i4.160.
C. B. Setiawan, D. Hariyadi, A. Sholeh, and A. Wisnuaji, “Pengembangan Aplikasi Information Gathering Berbasis HybridApps,” INTEK J. Inform. Dan Teknol. Inf., vol. 5, no. 1, Art. no. 1, May 2022, doi: 10.37729/intek.v5i1.1729.
Y. A. Pohan, Y. Yuhandri, and S. Sumijan, “Meningkatkan Keamanan Webserver Aplikasi Pelaporan Pajak Daerah Menggunakan Metode Penetration Testing Execution Standar,” J. Sistim Inf. Dan Teknol., pp. 1–6, Sep. 2021, doi: 10.37034/jsisfotek.v3i1.36.
F. Y. Fauzan and S. Syukhri, “Analisis Metode Web Security PTES (Penetration Testing Execution And Standart) Pada Aplikasi E-Learning Universitas Negeri Padang,” Voteteknika Vocat. Tek. Elektron. Dan Inform., vol. 9, no. 2, Art. no. 2, Jun. 2021.
B. B. Gupta, P. Chaudhary, and S. Gupta, “Designing a XSS Defensive Framework for Web Servers Deployed in the Existing Smart City Infrastructure:,” J. Organ. End User Comput., vol. 32, no. 4, pp. 85–111, Oct. 2020, doi: 10.4018/JOEUC.2020100105.
C. Lv, L. Zhang, F. Zeng, and J. Zhang, “Adaptive Random Testing for XSS Vulnerability,” in 2019 26th Asia-Pacific Software Engineering Conference (APSEC), Dec. 2019, pp. 63–69. doi: 10.1109/APSEC48747.2019.00018.
P. Chaudhary, B. B. Gupta, X. Chang, N. Nedjah, and K. T. Chui, “Enhancing big data security through integrating XSS scanner into fog nodes for SMEs gain,” Technol. Forecast. Soc. Change, vol. 168, p. 120754, Jul. 2021, doi: 10.1016/j.techfore.2021.120754.
J. R. Dora and K. Nemoga, “Ontology for Cross-Site-Scripting (XSS) Attack in Cybersecurity,” J. Cybersecurity Priv., vol. 1, no. 2, Art. no. 2, Jun. 2021, doi: 10.3390/jcp1020018.
N. P. Dewi and I. Listiowarni, “Implementasi Game Based Learning pada Pembelajaran Bahasa Inggris,” J. RESTI Rekayasa Sist. Dan Teknol. Inf., vol. 3, no. 2, pp. 124–130, Aug. 2019, doi: 10.29207/resti.v3i2.885.
D. P. Y. Ardiana and L. H. Loekito, “Gamification design to improve student motivation on learning object-oriented programming,” J. Phys. Conf. Ser., vol. 1516, no. 1, p. 012041, Apr. 2020, doi: 10.1088/1742-6596/1516/1/012041.
E. Bautista-Villegas, “Metodologías agiles XP y Scrum, empleadas para el desarrollo de páginas web, bajo MVC, con lenguaje PHP y framework Laravel,” Rev. Amaz. Digit., vol. 1, no. 1, Art. no. 1, Jan. 2022, doi: 10.55873/rad.v1i1.168.
S. Suroto and A. Asman, “ANCAMAN TERHADAP KEAMANAN INFORMASI OLEH SERANGAN CROSS-SITE SCRIPTING (XSS) DAN METODE PENCEGAHANNYA,” vol. 11.
M. Iqbal and N. Nurwati, “PENERAPAN SISTEM TERINTEGRASI MENGGUNAKAN RESTFUL API PADA DEALER MANAGEMENT SYSTEM PANCA NIAGA SEI PIRING,” J. Sci. Soc. Res., vol. 6, no. 1, Art. no. 1, Feb. 2023, doi: 10.54314/jssr.v6i1.1161.
C.-O. Truică, E.-S. Apostol, J. Darmont, and T. B. Pedersen, “The Forgotten Document-Oriented Database Management Systems: An Overview and Benchmark of Native XML DODBMSes in Comparison with JSON DODBMSes,” Big Data Res., vol. 25, p. 100205, Jul. 2021, doi: 10.1016/j.bdr.2021.100205.
Copyright (c) 2024 Luthfi Arian Nugraha
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).