Analysis of Manual and Automated Methods Effectiveness in Website Penetration Testing for Identifying SQL Injection Vulnerabilities

Abstract

This research aims to identify vulnerabilities to SQL Injection attacks on websites through penetration testing using quantitative and descriptive methods. In the current digital era, data and information security has become a crucial aspect. One of the frequent threats is SQL Injection attacks, where attackers insert malicious SQL commands into queries executed by web applications. This study utilizes tools such as Burp Suite to identify and exploit vulnerabilities in a login form created by the researchers. The research process begins with the Pre-Engagement Interactions phase, which includes information gathering and setting the testing scope. Subsequently, Vulnerability Testing is conducted to evaluate existing weaknesses. The exploitation of vulnerabilities is performed using the 'OR'1'='1 technique, which successfully demonstrates that the website is vulnerable to SQL Injection attacks. The results of this study indicate that the login form on the website is susceptible to SQL Injection due to insufficient input validation and the use of dynamic SQL queries without prepared statements. Implementing stricter input validation techniques and using prepared statements has proven effective in enhancing website security. This research makes a significant contribution to the field of information system security, particularly in the prevention of SQL Injection attacks. The results of this study can serve as a practical guide for web developers in improving the security of their applications and provide a deeper understanding of the threats and mitigation techniques for SQL Injection.