Implementation of AES-128 and Token-Base64 to Prevent SQL Injection Attacks via HTTP

Abstract

SQL Injection is an attack that can be applied to all database servers that support SQL commands. This attack cannot only occur in client-side applications, but can also occur through the process of data communication between client-side applications with server-side to access web services using HTTP GET or POST parameters. There is an alternative solution to create a security system from SQL Injection attacks during data communication process, that is by applying the cryptographic algorithm to the name and value parameters during the data communication process in the GET or POST method. This study proposes the use of the Advance Encryption Standard 128 (AES-128) algorithm combined with Token-Base64. AES-128 algorithm is used in the encryption process and description of name and parameter values, then Token-Base64 for encoding and decoding processes with Token at the binary ciphertext result from the AES-128 encryption process. The testing method used is blackbox testing. SQL Injection Tools used are Web Cruiser which is assisted with the Pentest-Tools URL-Fuzzer web application to find out the URL address of the web service that can be used as a SQL Injection attack gap. The results of this study are that the combination of AES-128 and Token-Base64 algorithms can prevent SQL Injection attacks with a percentage of 100% of 83 attempts on data communication through HTTP GET or POST parameters. This states that the security level obtained is in the application layer of the OSI Model. The implementation of this security process makes the web service load time performance last longer by 31.26% with the file size of the web services being 95%, compared to not using the security process.