Penetration Testing: Dumping Data from Web Application using SQL Injection Attack (Case Study: eArsip)

Abstract

Internet usage is increasing unprecedentedly and is directly facilitating the development of the entire digital world especially web-based applications. Unfortunately, web-based applications are becoming common targets for cyber-attacks in the form of sensitive data leaks through broken authentication, cross-site scripting, and SQL Injection. An injection attack with SQL injection is top-ranked among the “most critical” web-based application vulnerabilities. Sensitive data leaks can be initiated due to security holes that can be exploited to perform SQL injection attacks. This paper intends to address and showcase these security issues toward an online and legitimate target called eArsip. eArsip is a web-based application for recording and storing documents such as incoming letters, outgoing letters, decision letters, and other digitized documents. Since eArsip is freely accessible to the public, it is considered necessary to test its security to prevent data leakage with the possibility that it contains some sensitive and confidential archives. Penetration testing is performed using a black-box method in conjunction with SQL Injection. The authors adopt seven phases when conducting penetration testing, starting with planning, reconnaissance, exploration, vulnerability assessment, exploitation, reporting, and recommendation. Within 30 minutes of the attack using SQL Injection, the eArsip web-based application was successfully penetrated without prior credentials. Based on the results of the penetration tests performed, it has been demonstrated how dangerous the SQL Injection attack is for less guarded web and database applications. Data from web applications was successfully dumped using tools without the need for special knowledge. The test findings of the eArsip webbased application weaknesses and vulnerabilities are used to demonstrate the imminent risks of data leakage and to alert the system administrators. Finally, some alternative solutions are suggested to make the eArsip web-based applications more secure.