Grzegorz Goławski


Grzegorz Goławski has 12 years of experience in IT. He has been acting in multiple roles: developer, software architect, system architect, and security architect. Currently, he is Lead Security Engineer in Nokia.

He has been working in the security area for about 5 years. He has been conducting an internal Web Applications Security training for more than 3 years and he has been receiving very positive feedback.



Basic Web Applications Security (2018)

Bugs, including security bugs, existed, exist and will always exist. We can't change it, but it doesn't mean that we can ignore this fact during software development. During this lecture, I'm going to show how to hack and secure the web application. I'm going to introduce you to basic, but very popular vulnerabilities, SQL Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF, XSRF). I'm going to demonstrate how to detect, exploit and fix them.

The lecture is going to be a live demo. First, I'm going to shortly introduce each of the vulnerabilities. Then I'm going to hack the real web application to show how the vulnerabilities can be exploited. I'll demonstrate how an attacker can bypass authentication and dump the contents of the database leveraging SQL Injection vulnerability. I'll show how XSS vulnerability could allow an attacker to steal session cookies and hijack another user session. Finally, I'll leverage the CSRF vulnerability to silently perform an action on another user's behalf. At the end of each demonstration, I'm going to fix the problems and show how it prevents the exploitation attempts.

The web application is written in Java, using Spring Boot framework. The presented code snippets are also in Java, but the vulnerabilities are generic and language independent. Anybody with basic knowledge about any programming language will be able to understand it.