Offensive HTML, SVG, CSS and other Browser-Evil

Trainer Name: Mario Heiderich
Title: Offensive HTML, SVG, CSS and other Browser-Evil
Duration: 3 Days
Dates: 26^th - 28^th Feb 2019

Objective

Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil

Preview

More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ES6, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there's not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are "so nineties" in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. The focus of this workshop is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We'll learn how to attack any web-application with either unknown legacy features - or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES6 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps - we have that covered.

Whoever works with or against the security of modern web applications will enjoy and benefit from this workshop. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally.

HTML is a living standard. And so is this workshop. Course material will be provided on-site and via access to a private Github repo so all attendees will be receive updated material even months after the actual training.

Course outline

First segment

• The very Basics
• HTTP / Encoding
• Character Sets
• CSRF en detail
• Cross Site-Scripting
• DOM Clobbering
• Drag & Drop / Copy & Paste
• DOMXSS
• Legacy Features

Second segment

• HTML5 Attacks & Vectors
• SVG
• XML
• Mutation XSS / mXSS
• Scriptless Attacks
• SOP Bypasses
• Filter Bypasses
• Optimizing your Payload

What to bring?

Laptop, ideally a VM with several browsers (MSIE, FF, Chrome)

Prerequisites

Basic knowledge on HTTP, HTML and Scripting, fascination for weird technical behaviors and a love for crazy code

Who should attend?

Penetration testers, security engineers, security developers, technical people interested in browser and client-side web-security

What to expect?

A very technical, very intense, in-depth course starting from the very basics (HTTP, Charsets, Strings) and going up to advanced client-side attacks. Small focus on exploitation but huge focus on how to get there.Execute script where no one ever executes script before.

What not to expect?

A trainer with bad hair. The trainer has excellent hair which is in remarkably great shape. Also don't expect the standard XSS attack 101. This course goes beyond the limits and shows attacks known to few if ever.

About the trainer

Mario Heiderich

Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than, leads the small yet exquisite pen-test company called Cure53 and pesters peaceful attendees on various 5th tier conferences with his hastily assembled powerpoint-slides. Mario recently watched a movie about Chitty the robot and then decided it's time to give a talk in India again.