Training Offensive

Training Offensive

From BruCON 2016

Jump to: navigation, search

Offensive HTML, SVG, CSS and other Browser-Evil by Mario Heiderich

(or How to make sure your Pentest Report is never empty)

Course Description

This workshop was formerly held in closed environments for government contractors, companies and other organizations and is now available on conferences and alike. This comprehensive hands-on no-bullshit guide through the crazy world of HTML and its satellite technologies will give a very detailed overview on the current attack landscape.

  • Did you know that CSS3 can function as XSS filter and steal session tokens?
  • Did you know that copy & paste from an Office-Document is completely unsafe?
  • Did you know that you have a SOP violation whenever you can control the first byte of a HTML document?

The focus of this workshop will be on the offensive parts of HTML, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet... and will even cover the defence parts necessary to protect one's fine web-applications.

We'll learn how to attack any web-application with either legacy madness - or the half-baked results coming to your browser from the meth-labs of W3C and WHATWG without you even knowing it. Whether you want to attack classic web-apps or shine Chrome Packaged Apps - you'll not be disappointed. Whoever likes crazy HTML, CSS and JavaScript will enjoy and benefit from this workshop. A bit of knowledge on either of those is required, rocket scientists and adepts will be satisfied equally.

Wed. 23 - Fri. 25 April (09:00 - 17:00)


Back to Training Overview