November 08, 2018

Basic Web Applications Security

  • Golawski G.

Bugs, including security bugs, existed, exist and will always exist. We can't change it, but it doesn't mean that we can ignore this fact during software development. During this lecture, I'm going to show how to hack and secure the web application. I'm going to introduce you to basic, but very popular vulnerabilities, SQL Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF, XSRF). I'm going to demonstrate how to detect, exploit and fix them. The lecture is going to be a live demo. First, I'm going to shortly introduce each of the vulnerabilities. Then I'm going to hack the real web application to show how the vulnerabilities can be exploited. I'll demonstrate how an attacker can bypass authentication and dump the contents of the database leveraging SQL Injection vulnerability. I'll show how XSS vulnerability could allow an attacker to steal session cookies and hijack another user session. Finally, I'll leverage the CSRF vulnerability to silently perform an action on another user's behalf. At the end of each demonstration, I'm going to fix the problems and show how it prevents the exploitation attempts. The web application is written in Java, using Spring Boot framework. The presented code snippets are also in Java, but the vulnerabilities are generic and language independent. Anybody with basic knowledge about any programming language will be able to understand it.

View Original Article

Recent Publications

January 01, 2019

Friendly, appealing or both? Characterising user experience in sponsored search landing pages

  • Bron M.
  • Chute M.
  • Evans H.
  • Lalmas M.
  • Redi M.
  • Silvestri F.

© 2017 International World Wide Web Conference Committee (IW3C2), published under Creative Commons CC BY 4.0 License. Many of today's websites have recognised the importance of mobile friendly pages to keep users engaged and to provide a satisfying user experience. However, next to the experience provided by the sites themselves, ...

January 01, 2019

Analyzing uber's ride-sharing economy

  • Aiello L.
  • Djuric N.
  • Grbovic M.
  • Kooti F.
  • Lerman K.
  • Radosavljevic V.

© 2017 International World Wide Web Conference Committee (IW3C2), published under Creative Commons CC BY 4.0 License. Uber is a popular ride-sharing application that matches people who need a ride (or riders) with drivers who are willing to provide it using their personal vehicles. Despite its growing popularity, there exist ...

January 01, 2019

The paradigm-shift of social spambots: Evidence, theories, and tools for the arms race

  • Cresci S.
  • Petrocchi M.
  • Pietro R.
  • Spognardi A.
  • Tesconi M.

© 2017 International World Wide Web Conference Committee (IW3C2), published under Creative Commons CC BY 4.0 License. Recent studies in social media spam and automation provide anecdotal argumentation of the rise of a new generation of spambots, so-called social spambots. Here, for the first time, we extensively study this novel ...