From BruCON 2016
Offensive HTML, SVG, CSS and other Browser-Evil by Mario Heiderich
(or How to make sure your Pentest Report is never empty)
This workshop was formerly held in closed environments for government contractors, companies and other organizations and is now available on conferences and alike. This comprehensive hands-on no-bullshit guide through the crazy world of HTML and its satellite technologies will give a very detailed overview on the current attack landscape.
- Did you know that CSS3 can function as XSS filter and steal session tokens?
- Did you know that copy & paste from an Office-Document is completely unsafe?
- Did you know that you have a SOP violation whenever you can control the first byte of a HTML document?
The focus of this workshop will be on the offensive parts of HTML, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet... and will even cover the defence parts necessary to protect one's fine web-applications.
Wed. 23 - Fri. 25 April (09:00 - 17:00)