Training Session - Advanced Web Security

Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil - 2018 Edition

May 14, 15 and 16th


The focus of this training is on the offensive and dangerous parts of HTML, CSS, JavaScript and related technologies, the nasty and undocumented stuff, dozens of both new and long forgotten attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet, HTTP Leaks and the DOMPurify sanitizer library.

You’ll learn how to attack any web-application with either unknown legacy features, or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES6 and ES7 mailing lists.

Whether you want to attack modern high-end web applications or huge legacy web sites with framesets and image maps - we have that covered. You’ll see and understand browser internals, mXSS, Charset XSS, strange MSIE & Edge features, XSS filter bypasses, AngularJS sandbox bypasses and much more between lesser- and greater-than.

After this training, Web Penetration Testers will be able to extend their toolbox with new attack techniques and Developers will learn how to protect seemingly secure websites in even better ways.

HTML is a living standard. And so is this training. The course material will be provided on-site and via access to a private Github repository, so all attendees will be receive updated material even months after the actual training. All attendees are granted perpetual access to updated slides and material.



Let’s learn why we are here today. Let’s learn why client-side security and in close relation web-security are problems for many and a blessing for few - and what the foundation of this claim might be.

The Very Basics

Time to learn about the absolute basics of web security and the web itself and see how even they contribute to the complexity and diversity of this topic

Defence 101

We will now have a look at the basic defense techniques – and see which attacks will be covered by them and why it sometimes works and sometimes won’t

CSRF en detail

CSRF is as old as HTTP and caused by its blatant statelessness. Simple - yet still haunting the web like nothing else out there

Cross Site-Scripting

Cross-Site Scripting has been around for 15 years – and is still not solved. We’ll see why, how it affects us and will focus on how we can at least solve it for our web-applications


The place where no one hears you scream. Literally. This place has everything a classic Hall of Mirrors offers – and that’s often great for us. The attackers.


HTML5 makes the browser become the new OS. Step by step. How is this important for us and what should we know about the resulting threats?


Mixing two unrelated standards and hoping nothing goes wrong is one thing. That we all have to deal with it now is another. Say hello to SVG.


Let’s now cover the browser itself and the remaining slices of the attack-surface cake. Let’s also see how we can use the browser to protect our apps a bit better!


Not only browsers are capable of using and producing markup. Other applications like OpenOffice and Word use XSL too and the Acrobat Reader can even script quite well!

Various Attacks

Let’s now have a look at attack techniques that are useful but didn’t really fit into any of the chapters we covered before. Stuff, that few people know, things that will help you pop an alert where others fail.

Conclusion and Outlook

This final chapter will cover some issues we can expect to see within the next months and years. Knowing the attacks of tomorrow will help us understand future attack surface and deliver better pentests


  • A bit of knowledge on HTML, JavaScript is required
  • Laptop with several browsers installed (MSIE, Edge, Firefox and Chrome)


Mario Heiderich Security Researcher, Cure53

Dr.-Ing. Mario Heiderich, handsome heartbreaker, Bon-Vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various capitalist conferences with powerpoint slides and profanities.

Return to training sessions