Analisis Kebocoran Data Sistem Informasi Pendaftaran Mahasiswa Baru Dari Serangan SQL Injection
Abstract
The new student registration information system at educational institutions can support administration as a process for searching for quality prospective students. Universities use technology in the form of websites, to provide services to students in an effort to facilitate access to services. However, personal data leaks can occur, one of which is through SQL Injection cyber attacks. This research aims to provide a risk rating assessment based on data leaks in SQL Injection attacks that target new student registration systems with low security. The risk ranking data method refers to FERPA (Family Educational Rights and Privacy Act) and NIK (Population Identification Number) as sensitive data, risk assessment test results refer to CVSS V3 (Common Vulnerability Scoring System) and statistical values use the min-max difference method The level of risk when tested includes site A showing a low indication because when testing using the Havij application it did not show a response when SQL Injection penetration was carried out, the results of site A were said to be low because there was no data that experienced a data leak, while site B was said to be medium with a scale value of 5.76 out of 10, because there was a data leak when performing SQL Injection penetration.
Keywords: Information System; SQL Injection; Information Security
Abstrak
Sistem informasi pendaftaran mahasiswa baru pada institusi pendidikan dapat menunjang administrasi sebagai proses untuk pencarian calon mahasiswa yang berkualitas. Perguruan tinggi menggunakan teknologi berupa situs web, untuk memberikan layanan kepada mahasiswa dalam upaya memudahkan akses layanan. Namun, kebocoran data pribadi dapat terjadi, salah satunya melalui serangan siber SQL Injection. Penelitian ini bertujuan untuk memberikan penilaian risk rating berdasarkan kebocoran data dalam insiden serangan SQL Injection yang menargetkan sistem pendaftaran mahasiswa baru dengan keamanan yang rendah. Metode Risk ranking data tersebut mengacu pada FERPA (Family Educational Rights and Privacy Act) dan NIK (Nomor Induk Kependudukan) sebagai data sensitif, hasil pengujian penilaian risiko mengacu pada CVSS V3 (Common Vulnerability Scoring System) dan nilai statistik menggunakan metode min-max perbedaan tingkatan risiko ketika diuji diantaranya situs A menunjukkan indikasi rendah karena pada saat pengujian menggunakan aplikasi Havij tidak menunjukkan respon ketika dilakukan penetrasi SQL Injection, hasilnya situs A dikatakan rendah karena tidak ada data yang mengalami kebocoran data, sedangkan situs B dikatakan medium dengan skala nilai 5.76 dari 10, karena terdapat data yang mengalami kebocoran ketika melakukan penetrasi SQL Injection.
Keywords
References
B. Arismanto and S. Rahmadhani, “Pengembangan Sistem Penerimaan Mahasiswa Baru pada STIES Imam Asy Syafii Pekanbaru,” J. Intra-Tech, vol. 3, no. 1, pp. 57–72, 2019.
D. A. Jakaria, R. T. Dirgahayu, and Hendrik, “Manajemen Risiko Sistem Informasi Akademik pada Perguruan Tinggi Menggunakan Metoda Octave Allegro,” In Seminar Nasional Aplikasi Teknologi Informasi (SNATI), pp. E37-E42, 2013.
S. Priyanto and H. K. Siradjuddin, “Sistem Informasi Pendaftaran Mahasiswa Baru Berbasis Web Pada Politeknik Sains & Teknologi Wiratama Maluku Utara,” IJIS - Indones. J. Inf. Syst., vol. 3, no. 1, p. 20, 2018, doi: 10.36549/ijis.v3i1.38.
R. Pramana, A.,Watrianthos, “Sistem Informasi Pendaftaran Mahasiswa Baru Berbasis Android,” J. Inform. Upgris, vol. 5, no. 2, pp. 121–125, 2019.
D. Wijonarko and F. W. S. Budi, “Implementasi Framework Laravel Dalam Sistem Pendaftaran Mahasiswa Baru Politeknik Kota Malang,” J. Inform. dan Rekayasa Elektron., vol. 2, no. 2, p. 35, 2019, doi: 10.36595/jire.v2i2.116.
M. A. Sutejo and M. Hardjianto, “Pengamanan File Pendaftaran Siswa Baru Menggunakan Metode Algoritme Rc4 Di Tk Nurul Irfan Security of New Student Registration Files Using the Rc4 Algorithm Method in Tk Nurul Irfan,” Semin. Nas. Mhs. Fak. Teknol. Inf. Jakarta-Indonesia, vol. 4, no. September, pp. 394–401, 2022.
P. D. Ibnugraha, L. E. Nugroho, and P. I. Santosa, “Security Risk Analysis of Information System in Academic Institution based on Business Perspective : A Case Study,” vol. 8, pp. 87–91, 2019.
J. Fonseca, N. Seixas, M. Vieira, and H. Madeira, “Analysis of field data on web security vulnerabilities,” IEEE Trans. Dependable Secur. Comput., vol. 11, no. 2, pp. 89–100, 2014, doi: 10.1109/TDSC.2013.37.
H. Wahyudi, A. Zulianto, A. Maulana, S. Mardira Indonesia, and U. Langlangbuana, “Audit Keamanan Sistem Informasi Manajemen Akademik Dan Kemahasiswaan Menggunakan SNI ISO/IEC 27001:2013 Studi Kasus STMIK Mardira Indonesia,” J. Comput. Bisnis, vol. Vol. 14 No. 1, no. 1, pp. 40–46, 2020.
C. Pinzón, J. F. De Paz, J. Bajo, Á. Herrero, and E. Corchado, “AIIDA-SQL: An Adaptive Intelligent Intrusion Detector Agent for detecting SQL injection attacks,” 2010 10th Int. Conf. Hybrid Intell. Syst. HIS 2010, pp. 73–78, 2010, doi: 10.1109/HIS.2010.5600026.
K. Ahmad and M. Karim, “A Method to Prevent SQL Injection Attack using an Improved Parameterized Stored Procedure,” Int. J. Adv. Comput. Sci. Appl., vol. 12, no. 6, pp. 324–332, 2021, doi: 10.14569/IJACSA.2021.0120636.
Z. Fadhli, S. W. Rahayu, and I. A. Gani, “Perlindungan Data Pribadi Konsumen Pada Transaksi Paylater,” J. Huk. Magnum Opus, vol. 5, no. 1, pp. 119–132, 2022.
P. D. Ibnugraha, L. E. Nugroho, Widyawan, and P. I. Santosa, “Risk analysis of database privelege implementation in SQL injection case,” J. Teknol., vol. 78, no. 5–7, pp. 113–116, 2016, doi: 10.11113/jt.v78.8724.
P. Deshanta, A. Satria, F. Sekar, and M. Fahru, “The Reliability Analysis for Information Security Metrics in Academic Environment,” vol. 7, no. March, pp. 92–97, 2023.
D. Baccarini and R. Archer, “The risk ranking of projects: A methodology,” Int. J. Proj. Manag., vol. 19, no. 3, pp. 139–145, 2001, doi: 10.1016/S0263-7863(99)00074-5.
S. K. PANDEY, “A Comparative Study of Risk Assessment Methodologies for Information Systems,” Bull. Electr. Eng. Informatics, vol. 1, no. 2, pp. 111–122, 2012, doi: 10.12928/eei.v1i2.231.
A. Bastian, H. Sujadi, and L. Abror, “Analisis Keamanan Aplikasi Data Pokok Pendidikan (DAPODIK) Menggunakan Penetration Testing Dan SQL Injection,” INFOTECH J., vol. 6, no. 2, pp. 65–70, 2020.
A. S. Irawan, E. S. Pramukantoro, and A. Kusyanti, “Pengembangan Intrusion Detection System Terhadap SQL Injection Menggunakan Metode Learning Vector Quantization,” J. Pengemb. Teknol. Inf. dan Ilmu Komput. Univ. Brawijaya, vol. 2, no. 6, pp. 2295–2301, 2018.
M. Z. Maharani, H. R. Andrian, and S. J. I. Ismail, “Analisis Keamanan Website Menggunakan Metode Scanning Dan Perhitungan Security Metriks,” e-Proceeding Appl. Sci., vol. 3, no. 3, pp. 1775–1782, 2017.
A. Bin Ibrahim and S. Kant, “Penetration Testing Using SQL Injection to Recognize the Vulnerable Point on Web Pages,” Int. J. Appl. Eng. Res., vol. 13, no. 8, pp. 5935–5942, 2018, [Online]. Available: http://www.ripublication.com
L. Arafat, “Sistem Informasi Manajemen Risiko Proyek Di Cv. Artha Jaya,” 2019, [Online]. Available: https://elibrary.unikom.ac.id/id/eprint/864/
Å. Nyre and M. Jaatun, “Seeking Risks : Towards a Quantitative Risk Perception Measure To cite this version,” 2017.
P. D. Ibnugraha, L. E. Nugroho, and P. I. Santosa, “Risk model development for information security in organization environment based on business perspectives,” Int. J. Inf. Secur., vol. 20, no. 1, pp. 113-126, 2020, doi: 10.1007/s10207-020-00495-7.
F. Al Fajar, “Analisis Keamanan Aplikasi Web Prodi Teknik Informatika Uika Menggunakan Acunetix Web Vulnerability,” Inova-Tif, vol. 3, no. 2, pp. 110-121, 2020, doi: 10.32832/inova-tif.v3i2.4127.
A. K. Dalai and S. K. Jena, “Neutralizing SQL injection attack using server side code modification in web applications,” Secur. Commun. Networks, vol. 2017, no. 3, pp. 158–173, 2017, doi: 10.1155/2017/3825373.
How To Cite This :
Refbacks
- There are currently no refbacks.