Tugas I II5166 Keamanan Informasi Lanjut · Tugas I II5166 Keamanan Informasi Lanjut Semester 1 - 2012/2013 Pengajar: Dr. Ir. Budi Rahardjo Dikerjakan Oleh: Perdana Kusumah / 23512076

Tugas I

II5166 Keamanan Informasi Lanjut

Semester 1 - 2012/2013

Pengajar: Dr. Ir. Budi Rahardjo

Dikerjakan Oleh: Perdana Kusumah / 23512076 / Program LTI

Tugas: Mencari contoh software yang security-nya bermasalah!

Berikut beberapa contoh aplikasi web-based yang memiliki masalah dengan security-nya:

1. UDESA (http://www.udesa.co.za). Memiliki kelemahan pada bagian user authentication, dapat dilakukan SQL injection pada web aplikasi ini. Dengan memasukkan scipt tambahan SQL 1’ OR ‘1’ = ‘1, siapapun dapat masuk ke dalam menu admin.

Gambar 1. Tampilan Awal Login UDESA

http://www.udesa.co.za/�

Gambar 2. UDESA ketika dientri sql injection

Gambar 3. Berhasil masuk ke dalam menu admin UDESA

2. SANDERS GOLF (http://www.crsandersgolf.com ). Web aplikasi ini sama halnya dengan permasalahan yang dihadapi pada poin 1.

http://www.crsandersgolf.com/�

Gambar 4. Tampilan Awal Login SANDERS GOLF

Gambar 5. SANDERS GOLF ketika dientri sql injection

Gambar 6. Berhasil masuk ke dalam menu admin SANDERS GOLF

3. KPU DKI Jakarta (http://www.kpujakarta.go.id ).

Gambar 7. Tampilan KPU DKI Jakarta sebelum ada masalah

Web aplikasi ini memiliki beberapa permasalahan, seperti: a. Informasi mengenai database yang digunakan dapat diketahui, yaitu MySQL.

http://www.kpujakarta.go.id/�

Gambar 8. KPU DKI Jakarta menampilkan error database MySQL

b. Apabila terjadi kesalahan entri dari pengguna, memunculkan query syntax yang digunakan.

Gambar 9. Tampilan error KPU DKI Jakarta ketika peguna salah entri

c. Pada field pencarian, hanya mengambil apapun yang dientri oleh pengguna tanpa adanya filtering. Hal ini memungkinkan untuk dilakukannya sql injection (seperti pembuatan query sendiri oleh pengguna, penambahan script ataupun delete database).

Gambar 10. KPU DKI Jakarta dapat dientri query oleh pengguna

Gambar 11. Form login KPU DKI Jakarta dapat dientri dengan sql injection

d. Memunculkan daftar file dari suatu directory dalam web-server.

Gambar 12. Daftar file yang ada dalam directory web-server KPU DKI Jakarta

4. NIC ITB (http://nic.itb.ac.id ) Secara keseluruhan security web NIC ITB ini sudah cukup baik, namun ada beberapa kelemahan setelah dilakukan scanning menggunakan software khusus untuk tracing (acunetix). Berikut beberapa hal yang dapat disampaikan: a. Versi PHP yang digunakan masih versi lama (5.2.17), dimana dimungkinkan dilakukan DOS

attack terhadap hash table-nya. b. Ketik terjadi error request, masih memunculkan header information yang berisi HTTPOnly

cookies. c. Pada form pengisian username dan password masih dimungkinkan dilakukan brute force

attack karena belum ada mekanisme pembatasan jumlah kesalahan entri username dan password yang salah. Namun, web ini sudah baik untuk menangani sql injection.

d. Konfigurasi HTTP TRACE masih enabled, sehingga informasi sensitif header HTTP (seperti cookies dan authentication data) masih dimungkinkan untuk diakses.

e. Pada konfigurasi textbox input username atau password masih ada pengaturan autocomplete=”on”, sehingga informasi tersebut masih tersimpan di dalam browser-cache, dampaknya ada reminder dari browser kepada pengguna terkait nilai yang pernah dientri sebelumnya.

Terlampir report hasil scan acunetix.

http://nic.itb.ac.id/�

LAMPIRAN

Apache httpOnly Cookie Disclosure

MediumSeverity

ValidationType

Scripting (Apache_httpOnly_Cookie_Disclosure.script)Reported by module

Impact

Description

Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of BadRequest (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectorsinvolving a (1) long or (2) malformed header in conjunction with crafted web script. Affected Apache versions (up to 2.0.21).

Information disclosure.

Recommendation

Upgrade Apache 2.x to the latest version. Apache 2.2.22 is the first version that fixed this issue.

References

Apache httpOnly Cookie Disclosure

Fixed in Apache httpd 2.2.22

Affected items

Details

Web Server

Pattern found: <pre>Cookie: acunetixCookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

GET / HTTP/1.1

(line truncated)

...AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA




AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Host: nic.itb.ac.id

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)

Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED

Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm

Accept: */*

Request headers

9Acunetix Website Audit

http://fd.the-wildcat.de/apache_e36a9cf46c.php

http://httpd.apache.org/security/vulnerabilities_22.html

Login page password-guessing attack

LowSeverity

ValidationType

Scripting (Html_Authentication_Audit.script)Reported by module

Impact

Description

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attackis an attempt to discover a password by systematically trying every possible combination of letters, numbers, andsymbols until you discover the one correct combination that works. This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommendedto implement some type of account lockout after a defined number of incorrect password attempts. Consult Webreferences for more information about fixing this problem.

An attacker may attempt to discover a weak password by systematically trying every possible combination of letters,numbers, and symbols until it discovers the one correct combination that works.

Recommendation

It's recommended to implement some type of account lockout after a defined number of incorrect password attempts.

References

Blocking Brute Force Attacks

Affected items

Details

/cake/accounts/cekKompatibilitas

The scanner tested 10 invalid credentials and no account lockout was detected.

POST /cake/accounts/cekKompatibilitas HTTP/1.1

Content-Length: 81

Content-Type: application/x-www-form-urlencoded

Host: nic.itb.ac.id







Accept: */*

data%5bAccount%5d%5bpassword%5d=s7QkeR2G&data%5bAccount%5d%5busername%5d=CCQAAbwM

Request headers

Details

/cake/accounts/cekPassword


POST /cake/accounts/cekPassword HTTP/1.1

Content-Length: 81


Host: nic.itb.ac.id







Accept: */*

Request headers


http://www.owasp.org/index.php/Blocking_Brute_Force_Attacks

data%5bAccount%5d%5bpassword%5d=dmyicnnW&data%5bAccount%5d%5busername%5d=8UKB6oNT

Details

/cake/accounts/historyBlockUser


POST /cake/accounts/historyBlockUser HTTP/1.1

Content-Length: 81


Host: nic.itb.ac.id







Accept: */*

data%5bAccount%5d%5bpassword%5d=FSSssvtx&data%5bAccount%5d%5busername%5d=9Ru7bUpb

Request headers

Details

/cake/accounts/historyInternet


POST /cake/accounts/historyInternet HTTP/1.1

Content-Length: 81


Host: nic.itb.ac.id







Accept: */*

data%5bAccount%5d%5bpassword%5d=Sq12DaYu&data%5bAccount%5d%5busername%5d=kgGDz1e5

Request headers

Details

/cake/accounts/resetByAdmin


POST /cake/accounts/resetByAdmin HTTP/1.1

Content-Length: 136


Host: nic.itb.ac.id







Accept: */*

data%5bAccount%5d%5bpasswordadmin%5d=bd8KgPAh&data%5bAccount%5d%5busernameadmin%5d=W3gT7

zwd&data%5bAccount%5d%5busernameuser%5d=mqxqsucr

Request headers

Details

/cake/web/login


POST /cake/web/login HTTP/1.1

Content-Length: 81


Request headers


Host: nic.itb.ac.id







Accept: */*

data%5bAccount%5d%5bpassword%5d=KoYMEgdR&data%5bAccount%5d%5busername%5d=MdB5cmRa


Possible sensitive directories

LowSeverity

ValidationType

Scripting (Possible_Sensitive_Directories.script)Reported by module

Impact

Description

A possible sensitive directory has been found. This directory is not directly linked from the website.This check looks forcommon sensitive resources like backup directories, database dumps, administration pages, temporary directories. Eachone of these directories could help an attacker to learn more about his target.

This directory may expose sensitive information that could help a malicious user to prepare more advanced attacks.

Recommendation

Restrict access to this directory or remove it from the website.

References

Web Server Security and Database Server Security

Affected items

Details

/cake/app/config

No details are available.

GET /cake/app/config HTTP/1.1

Accept: acunetix/wvs

Range: bytes=0-99999

Cookie: CAKEPHP=2323a4ffabd8ffeq58sktcct87

Host: nic.itb.ac.id







Request headers

Details

/cake/app/tmp


GET /cake/app/tmp HTTP/1.1

Accept: acunetix/wvs

Range: bytes=0-99999


Host: nic.itb.ac.id







Request headers


http://www.acunetix.com/websitesecurity/webserver-security.htm

TRACE method is enabled

LowSeverity

ValidationType

Scripting (Track_Trace_Server_Methods.script)Reported by module

Impact

Description

HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in webbrowsers, sensitive header information could be read from any domains that support the HTTP TRACE method.

Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies andauthentication data.

Recommendation

Disable TRACE Method on the web server.

References

W3C - RFC 2616

US-CERT VU#867593

IIS 6 WWW Service Registry Entries

Cross-site tracing (XST)

Affected items

Details

Web Server


TRACE /p0KgTQtkjs HTTP/1.1


Host: nic.itb.ac.id







Accept: */*

Request headers


http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

http://www.kb.cert.org/vuls/id/867593

http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/ref_reg_wwwservice.mspx

http://www.cgisecurity.com/lib/WH-WhitePaper_XST_ebook.pdf

Broken links

InformationalSeverity

InformationalType

CrawlerReported by module

Impact

Description

A broken link refers to any link that should take you to a document, image or webpage, that actually results in an error.This page was linked from the website but it is inaccessible.

Problems navigating the site.

Recommendation

Remove the links to this file or make it accessible.

Affected items

Details

/cake/app/config


GET /cake/app/config/ HTTP/1.1

Pragma: no-cache

Referer: http://nic.itb.ac.id/cake/app/config/

Acunetix-Aspect: enabled

Acunetix-Aspect-Password: *****

Acunetix-Aspect-Queries: filelist;aspectalerts


Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/app/plugins


GET /cake/app/plugins/ HTTP/1.1

Pragma: no-cache

Referer: http://nic.itb.ac.id/cake/app/plugins/





Host: nic.itb.ac.id







Accept: */*

Request headers


Details

/cake/app/tmp


GET /cake/app/tmp/ HTTP/1.1

Pragma: no-cache

Referer: http://nic.itb.ac.id/cake/app/tmp/





Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/css/img


GET /cake/css/img HTTP/1.1

Pragma: no-cache

Referer: http://nic.itb.ac.id/cake/css/img





Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/news/web


GET /cake/news/web HTTP/1.1

Pragma: no-cache

Referer: http://nic.itb.ac.id/cake/news/web





Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/news/web/downloadorder



GET /cake/news/web/downloadorder HTTP/1.1

Pragma: no-cache

Referer: https://nic.itb.ac.id/cake/news/view/8





Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/web/downloadorder


GET /web/downloadorder HTTP/1.1

Pragma: no-cache

Referer: https://nic.itb.ac.id/cake/news





Host: nic.itb.ac.id







Accept: */*

Request headers


Email address found


InformationalType

Scripting (Text_Search.script)Reported by module

Impact

Description

One or more email addresses have been found on this page. The majority of spam comes from email addressesharvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scourthe internet looking for email addresses on any website they come across. Spambot programs look for strings [email protected] and then record any addresses found.

Email addresses posted on Web sites may attract spam.

Recommendation

Check references for details on how to solve this problem.

References

Why Am I Getting All This Spam?

Spam-Proofing Your Website

Affected items

Details

/cake/news/view/7

Pattern found: [email protected]

GET /cake/news/view/7 HTTP/1.1

Pragma: no-cache

Referer: https://nic.itb.ac.id/cake/news





Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/web/exampledownloadorder

Pattern found: [email protected]

GET /cake/web/exampledownloadorder HTTP/1.1

Pragma: no-cache

Referer: https://nic.itb.ac.id/cake/downloads/downloadorder





Host: nic.itb.ac.id


Request headers


http://www.cdt.org/speech/spam/030319spamreport.shtml

http://evolt.org/article/Spam_Proofing_Your_Website/20/41849/






Accept: */*


GHDB: Possible temporary file/directory


InformationalType

GHDBReported by module

Impact

Description

The description for this alert is contributed by the GHDB community, it may contain inappropriate language.Category : Sensitive Directories Many times, this search will reveal temporary files and directories on the web server. The information included in thesefiles and directories will vary, but an attacker could use this information in an information gathering campaign. The Google Hacking Database (GHDB) appears courtesy of the Google Hacking community.

Not available. Check description.

Recommendation

Not available. Check description.

References

Acunetix Google hacking

The Google Hacking Database (GHDB) community

Affected items

Details

/cake/app/tmp

We found inurl:/tmp

GET /cake/app/tmp/ HTTP/1.1

Pragma: no-cache

Referer: http://nic.itb.ac.id/cake/app/tmp/





Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/app/tmp

We found inurl:/tmp

GET /cake/app/tmp HTTP/1.1

Pragma: no-cache

Referer: http://nic.itb.ac.id/cake/app/





Host: nic.itb.ac.id



Request headers


http://www.acunetix.com/websitesecurity/google-hacking.htm

http://johnny.ihackstuff.com/





Accept: */*


Password type input with autocomplete enabled


InformationalType

CrawlerReported by module

Impact

Description

When a new name and password is entered in a form and the form is submitted, the browser asks if the passwordshould be saved. Thereafter when the form is displayed, the name and password are filled in automatically or arecompleted as the name is entered. An attacker with local access could obtain the cleartext password from the browsercache.

Possible sensitive information disclosure

Recommendation

The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off">

Affected items

Details

/cake/accounts/blokirAccount

Password type input named data[Account][passwordadmin] from unnamed form with action/cake/accounts/blokirAccount has autocomplete enabled.

GET /cake/accounts/blokirAccount HTTP/1.1

Pragma: no-cache

Referer: https://nic.itb.ac.id/cake/index.php





Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/accounts/cekKompatibilitas

Password type input named data[Account][password] from unnamed form with action /cake/accounts/cekKompatibilitashas autocomplete enabled.

GET /cake/accounts/cekKompatibilitas HTTP/1.1

Pragma: no-cache






Host: nic.itb.ac.id




Request headers





Accept: */*

Details

/cake/accounts/cekPassword

Password type input named data[Account][password] from unnamed form with action /cake/accounts/cekPassword hasautocomplete enabled.

GET /cake/accounts/cekPassword HTTP/1.1

Pragma: no-cache






Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/accounts/historyBlockUser

Password type input named data[Account][password] from unnamed form with action /cake/accounts/historyBlockUserhas autocomplete enabled.

GET /cake/accounts/historyBlockUser HTTP/1.1

Pragma: no-cache






Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/accounts/historyInternet

Password type input named data[Account][password] from unnamed form with action /cake/accounts/historyInternet hasautocomplete enabled.

GET /cake/accounts/historyInternet HTTP/1.1

Pragma: no-cache






Host: nic.itb.ac.id






Request headers



Accept: */*

Details

/cake/accounts/registrasivoip

Password type input named data[Account][password] from unnamed form with action /cake/accounts/registrasivoip hasautocomplete enabled.

GET /cake/accounts/registrasivoip HTTP/1.1

Pragma: no-cache






Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/accounts/resetByAdmin

Password type input named data[Account][passwordadmin] from unnamed form with action/cake/accounts/resetByAdmin has autocomplete enabled.

GET /cake/accounts/resetByAdmin HTTP/1.1

Pragma: no-cache






Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/accounts/ubahPassword

Password type input named data[Account][renewpassword] from unnamed form with action/cake/accounts/ubahPassword has autocomplete enabled.

GET /cake/accounts/ubahPassword HTTP/1.1

Pragma: no-cache






Host: nic.itb.ac.id







Request headers


Accept: */*

Details


Password type input named data[Account][newpassword] from unnamed form with action /cake/accounts/ubahPasswordhas autocomplete enabled.


Pragma: no-cache






Host: nic.itb.ac.id







Accept: */*

Request headers

Details


Password type input named data[Account][password] from unnamed form with action /cake/accounts/ubahPassword hasautocomplete enabled.


Pragma: no-cache






Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/accounts/ubahResetPassword

Password type input named data[Account][resetpassword] from unnamed form with action/cake/accounts/ubahResetPassword has autocomplete enabled.

GET /cake/accounts/ubahResetPassword HTTP/1.1

Pragma: no-cache






Host: nic.itb.ac.id







Accept: */*

Request headers


Details


Password type input named data[Account][password] from unnamed form with action/cake/accounts/ubahResetPassword has autocomplete enabled.


Pragma: no-cache






Host: nic.itb.ac.id







Accept: */*

Request headers

Details


Password type input named data[Account][reresetpassword] from unnamed form with action/cake/accounts/ubahResetPassword has autocomplete enabled.


Pragma: no-cache






Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/downloads/downloadorder

Password type input named data[Download][filepassword] from unnamed form with action/cake/downloads/downloadorder has autocomplete enabled.

GET /cake/downloads/downloadorder HTTP/1.1

Pragma: no-cache






Host: nic.itb.ac.id







Accept: */*

Request headers


Details

/cake/downloads/downloadorder

Password type input named data[Download][password] from unnamed form with action /cake/downloads/downloadorderhas autocomplete enabled.

GET /cake/downloads/downloadorder HTTP/1.1

Pragma: no-cache






Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/downloads/downloadpaper

Password type input named data[DownloadPaper][password] from unnamed form with action/cake/downloads/downloadpaper has autocomplete enabled.

GET /cake/downloads/downloadpaper HTTP/1.1

Pragma: no-cache






Host: nic.itb.ac.id







Accept: */*

Request headers

Details

/cake/web/exampledownloadorder

Password type input named from unnamed form with action /cake/web/downloadorder has autocomplete enabled.

GET /cake/web/exampledownloadorder HTTP/1.1

Pragma: no-cache

Referer: https://nic.itb.ac.id/cake/downloads/downloadorder





Host: nic.itb.ac.id







Accept: */*

Request headers


Details

/cake/web/login

Password type input named data[Account][password] from unnamed form with action /cake/web/login has autocompleteenabled.

GET /cake/web/login HTTP/1.1

Pragma: no-cache






Host: nic.itb.ac.id







Accept: */*

Request headers


Scanned items (coverage report)

No vulnerabilities has been identified for this URL

URL: http://nic.itb.ac.id/

6 input(s) found for this URL

Inputs

Input scheme 1

Input name Input type

/ Path Fragment

/cake/ Path Fragment

Input scheme 2


/ Path Fragment

/ Path Fragment


Input scheme 3




URL: https://nic.itb.ac.id/cake/

No input(s) found for this URL


URL: https://nic.itb.ac.id/cake/index.php



URL: https://nic.itb.ac.id/cake/news



URL: https://nic.itb.ac.id/cake/news/view



URL: https://nic.itb.ac.id/cake/news/view/8


Vulnerabilities has been identified for this URL




















URL: https://nic.itb.ac.id/cake/news/index



URL: https://nic.itb.ac.id/cake/news/web



URL: https://nic.itb.ac.id/cake/news/web/downloadorder



URL: https://nic.itb.ac.id/cake/faqs



URL: https://nic.itb.ac.id/cake/policy



URL: https://nic.itb.ac.id/cake/policy/view



URL: https://nic.itb.ac.id/cake/policy/view/5















URL: https://nic.itb.ac.id/cake/policy/view/index.php


Inputs

Input scheme 1



menu URL encoded GET

mode URL encoded GET


URL: https://nic.itb.ac.id/cake/service



URL: https://nic.itb.ac.id/cake/service/view



URL: https://nic.itb.ac.id/cake/service/view/9















URL: https://nic.itb.ac.id/cake/articles



URL: https://nic.itb.ac.id/cake/articles/view



URL: https://nic.itb.ac.id/cake/articles/view/6





































URL: https://nic.itb.ac.id/cake/articles/view/index.php


Inputs

Input scheme 1


menu URL encoded GET

mode URL encoded GET


URL: https://nic.itb.ac.id/cake/articles/index



URL: https://nic.itb.ac.id/cake/web



URL: https://nic.itb.ac.id/cake/web/about



URL: https://nic.itb.ac.id/cake/web/login


Inputs

Input scheme 1


data%5bAccount%5d%5bpassword%5d URL encoded POST

data%5bAccount%5d%5busername%5d URL encoded POST



URL: https://nic.itb.ac.id/cake/web/contact



URL: https://nic.itb.ac.id/cake/web/exampledownloadorder



URL: https://nic.itb.ac.id/cake/web/downloadorder


Inputs

Input scheme 1


data%5bweb%5d%5busername%5d URL encoded POST


URL: https://nic.itb.ac.id/cake/img



URL: https://nic.itb.ac.id/cake/css



URL: https://nic.itb.ac.id/cake/css/default.css



URL: https://nic.itb.ac.id/cake/css/img



URL: https://nic.itb.ac.id/cake/accounts



URL: https://nic.itb.ac.id/cake/accounts/cekAccount


Inputs

Input scheme 1




URL: https://nic.itb.ac.id/cake/accounts/cekPassword


Inputs

Input scheme 1





URL: https://nic.itb.ac.id/cake/accounts/ubahPassword



Inputs

Input scheme 1


data%5bAccount%5d%5bnewpassword%5d URL encoded POST


data%5bAccount%5d%5brenewpassword%5d URL encoded POST



URL: https://nic.itb.ac.id/cake/accounts/resetByAdmin


Inputs

Input scheme 1


data%5bAccount%5d%5bpasswordadmin%5d URL encoded POST

data%5bAccount%5d%5busernameadmin%5d URL encoded POST

data%5bAccount%5d%5busernameuser%5d URL encoded POST


URL: https://nic.itb.ac.id/cake/accounts/blokirAccount


Inputs

Input scheme 1


data%5bAccount%5d%5bblokirsampaid%5d URL encoded POST

data%5bAccount%5d%5bblokirsampaim%5d URL encoded POST

data%5bAccount%5d%5bblokirsampaiy%5d URL encoded POST

data%5bAccount%5d%5bblokirsebab%5d URL encoded POST

data%5bAccount%5d%5bpasswordadmin%5d URL encoded POST

data%5bAccount%5d%5btipeblokir%5d URL encoded POST

data%5bAccount%5d%5busernameadmin%5d URL encoded POST

data%5bAccount%5d%5busernameuser%5d URL encoded POST


URL: https://nic.itb.ac.id/cake/accounts/resetPassword



URL: https://nic.itb.ac.id/cake/accounts/resetPassword/2


Inputs

Input scheme 1




URL: https://nic.itb.ac.id/cake/accounts/registrasivoip


Inputs

Input scheme 1


data%5bAccount%5d%5bno%5d URL encoded POST





URL: https://nic.itb.ac.id/cake/accounts/historyInternet


Inputs

Input scheme 1





URL: https://nic.itb.ac.id/cake/accounts/historyBlockUser


Inputs

Input scheme 1





URL: https://nic.itb.ac.id/cake/accounts/ubahResetPassword


Inputs

Input scheme 1


data%5bAccount%5d%5bhint%5d URL encoded POST


data%5bAccount%5d%5breresetpassword%5d URL encoded POST

data%5bAccount%5d%5bresetpassword%5d URL encoded POST



URL: https://nic.itb.ac.id/cake/accounts/cekKompatibilitas


Inputs

Input scheme 1





URL: https://nic.itb.ac.id/cake/downloads



URL: https://nic.itb.ac.id/cake/downloads/downloadorder


Inputs

Input scheme 1


data%5bDownload%5d%5bakun%5d URL encoded POST

data%5bDownload%5d%5balamat%5d URL encoded POST

data%5bDownload%5d%5bdeskripsi%5d URL encoded POST

data%5bDownload%5d%5bemail%5d URL encoded POST


data%5bDownload%5d%5bfilepassword%5d URL encoded POST

data%5bDownload%5d%5bfileusername%5d URL encoded POST

data%5bDownload%5d%5bpassword%5d URL encoded POST

data%5bDownload%5d%5breferal%5d URL encoded POST


URL: https://nic.itb.ac.id/cake/downloads/downloadpaper


Inputs

Input scheme 1


data%5bDownloadPaper%5d%5bakun%5d URL encoded POST

data%5bDownloadPaper%5d%5bemail%5d URL encoded POST

data%5bDownloadPaper%5d%5bjudul%5d URL encoded POST

data%5bDownloadPaper%5d%5bjurnal%5d URL encoded POST

data%5bDownloadPaper%5d%5bpassword%5d URL encoded POST

data%5bDownloadPaper%5d%5bpenerbit%5d URL encoded POST

data%5bDownloadPaper%5d%5bpenulis%5d URL encoded POST

data%5bDownloadPaper%5d%5burl%5d URL encoded POST

data%5bDownloadPaper%5d%5bvolume%5d URL encoded POST


URL: http://nic.itb.ac.id/cake/app/



URL: http://nic.itb.ac.id/cake/app/webroot/



URL: https://nic.itb.ac.id/cake/app/webroot/img/



URL: https://nic.itb.ac.id/cake/app/webroot/css/



URL: http://nic.itb.ac.id/cake/app/webroot/js/



URL: http://nic.itb.ac.id/cake/app/webroot/files/



URL: http://nic.itb.ac.id/cake/app/config/



URL: http://nic.itb.ac.id/cake/app/tmp/



URL: http://nic.itb.ac.id/cake/app/plugins/




URL: http://nic.itb.ac.id/cake/app/js



URL: http://nic.itb.ac.id/cake/app/files



URL: http://nic.itb.ac.id/cake/app/img



URL: http://nic.itb.ac.id/web



URL: https://nic.itb.ac.id/web/downloadorder



URL: http://nic.itb.ac.id/image/



Documents

Tugas I II5166 Keamanan Informasi Lanjut · Tugas I II5166 Keamanan Informasi Lanjut Semester 1 - 2012/2013 Pengajar: Dr. Ir. Budi Rahardjo Dikerjakan Oleh: Perdana Kusumah / 23512076