• Nullcon Goa Sep 2022
  • Training
  • Web- & Browser-Security Roundhouse-Kick

Web- & Browser-Security Roundhouse-Kick

Dr.-Ing. Mario Heiderich

register Now
Mario Heiderich

Trainer Name: Dr.-Ing. Mario Heiderich
Title: Web- & Browser-Security Roundhouse-Kick
Duration: 3 Days
Dates: Sept. 6, 2022 To Sept. 8, 2022


This 3-day training session, derived from the mighty 7-day coursework at Ruhr-University in Bochum, aims to teach attendees about the most relevant parts of modern web security, from server-side layers all the way up to the browser and the DOM.

Starting at HTTP and the very basics, looking at HTTP Request Smuggling, understanding Cookies, simple and then more advanced injection techniques, and more, the trainer will guide the attendees through a journey covering all that is relevant in the realm of web penetration-testing, securing applications and spotting issues that others might just overlook.

Training level: Basic; Intermediate; Advanced


Apex Threat Actors having advanced capabilities like leveraging in-memory implants, writing custom codes to evade AVs & EDR, moving laterally with custom made Tools, evading host and network-level security solutions for stealthiness, etc are constantly consolidating their attack techniques (and Tactics) against Defensive Teams. To strengthen enterprise-grade security, the training is designed for penetration testers, system administrators, and Blue Team members to understand different tactics, techniques, and attacks used by adversaries.


Three days are not a long time for a complex and broad topic like this one, and it depends on many factors on how many topics can be covered.

We'll have the following items on our web security tasting menu and hope to look into as many as possible:

Chapter 1: His­to­ry & Ba­sics

  • The His­to­ry of Web Se­cu­ri­ty and Web At­tacks
  • The His­to­ry of Brow­sers
  • HTML, Ja­va­Script, CSS

Chapter 2: HTTP, Ser­ver, SQLi

  • At­tacks using HTTP and SSL/TLS
  • SQL In­jec­tions
  • Uploads

Chapter 3: Cook­ies, Ses­si­ons, XSS

  • Cook­ies & Ses­si­ons
  • Same Ori­gin Po­li­cy
  • Au­then­ti­ca­ti­on & Autho­riza­t­i­on
  • The Ba­sics of Cross-Si­te Script­ing

Chapter 4: Ad­van­ced XSS

  • Ad­van­ced XSS
  • mXSS and DOM Mu­ta­ti­ons

Chapter 5: Brow­sers & Bey­ond

  • The DOM
  • DOM Clob­be­ring & DOM XSS
  • postM­es­sa­ge XSS

      A working laptop would really be helpful, ideally with software such as Burp or Fiddler preinstalled. The course can be enjoyed without, but it would be sad to miss out on the hands-on exercises.


      HTML, CSS, JavaScript as well as HTTP should ring a bell, no expertise is required but basic levels of understanding are helpful for sure.


      Penetration-Testers, Developers, SecDevOps, and everyone who aims to work hands-on in Web- and Browser-Security.


      A trainer who is certainly top-notch marriage material (his own words) but sadly no longer on the market. In addition, practical and useful knowledge from someone who has conducted and managed hundreds of pen tests in the past years.


      All slides and helpful material. Access to those via GitHub, including a ticket-tracker for questions after the training. Hands-on exercises via PortSwigger's legendary Web Security Academy.


      The course will be derived from a University lecture, so expect a ratio of 80% lectures and 20% hands-on. Don't expect knowledge about 0-days or secret intel, this course is about learning, understanding, and applying the gained knowledge reasonably.

      About Trainer

      Great looks, athletic posture, melodic voice, latest-trend fashion, and a tiny bit of knowledge about web security and penetration testing.

Copyright © 2023 | Nullcon India | International Security Conference | All Rights Reserved