<![CDATA[This study analyzes the security of the SMK Wongsorejo Gombong website against SQL Injection attacks using the Penetration Testing Execution Standard (PTES) method. The issue arose when several users experienced access difficulties and data loss on the school's website. By following the seven stages of PTES, the research identified vulnerabilities using OWASP ZAP 2.15.0 and SQLMap 1.8.11.11#dev. The findings revealed a high-risk SQL Injection vulnerability in the jawaban_id parameter. Exploitation successfully exposed the database structure, accessed user tables, and decrypted the admin password using brute force methods. This research contributes to the development of security testing procedures for educational information systems and provides improvement recommendations, including input validation, the use of PDO (PHP Data Objects) with parameterized queries, stored procedures, and escaping techniques.Keywords: Website Security; SQL Injection; Penetration Testing; OWASP ZAP; School Information System. AbstrakPenelitian ini menganalisis keamanan website SMK Wongsorejo Gombong terhadap serangan SQL Injection menggunakan metode Penetration Testing Execution Standard (PTES). Permasalahan muncul ketika beberapa pengguna mengalami kesulitan akses dan hilangnya data pada website sekolah. Melalui tujuh tahapan PTES, penelitian mengidentifikasi kerentanan menggunakan OWASP ZAP 2.15.0 dan SQLMap 1.8.11.11#dev. Hasil penelitian menunjukkan adanya celah keamanan SQL Injection pada parameter jawaban_id dengan tingkat risiko tinggi. Eksploitasi berhasil mengungkap struktur database, mengakses tabel pengguna, dan mendekripsi password admin menggunakan metode brute force. Penelitian ini memberikan kontribusi dalam pengembangan prosedur pengujian keamanan untuk sistem informasi pendidikan dan menghasilkan rekomendasi perbaikan berupa penggunaan input validasi, PDO (PHP Data Objects) dengan parameterized query, stored procedure dan escaping. ]]>
