SQLI (SQL Injection) and XSS are hacking techniques that are often used by hackers. This technique can find out the contents of the database by inserting a script on the website. This technique can be a threat if a website does not have security that can ward off such attacks. Hackers will look for loopholes using this technique in a login menu, searching, upload menu, input menu and URLs that have parameters ending in numbers, but not all websites that can be attacked use this technique if you don't limit the use of characters. This research was conducted to find out the gaps in a website that can be attacked with SQLI and XSS techniques and help optimize website security to avoid these attacks. Penetration testing will be carried out on a CV car rental website. Merdeka Auto Rental which is located in Padang City. This penetration testing uses SQLI and XSS techniques to find security holes in a website. The result of this test is that on the car rental website there are 12 gaps that are vulnerable to SQLI and XSS attacks, based on the results of these tests, a PHP script function is made that can remove all dangerous special characters. The script function is inserted in the PHP input, process and output files. The use of this script function does not apply to attacks other than SQLI and XSS so that if hackers use attack techniques other than that, this website is vulnerable to these attacks. After the script is inserted in the source code of the website, it can be concluded that the 12 known loopholes in the previous test without using the script function have changed status to not vuln or not vulnerable to SQLI and XSS attacks.