Training 2017 - Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil

Training 2017 - Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil

From BruCON 2017

Jump to: navigation, search

Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil

Probably one of the best courses when it comes to exploiting websites and application returns to BruCON once more. Mario of Cure53 will host this 3-day course and will guide you through the latest and greatest in offensive website security for you to adsorb and put to concrete use!

Course Description

More and more web applications delegate business logic to the client., JavaScript, SVG, Canvas, ECMAScript 7/ES2016, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder. But there is hope...

Course Contents

The focus of this training is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2016 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps – we have that covered.

HTML is a living standard. And so is this training. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training. All attendees are granted perpetual access to updated slides and material.

Check out one of the many videos of Mario's security talks and research.

Target audience

Whoever works with or against the security of modern web applications will enjoy and benefit from this training. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally.


Students should have :

  • A bit of knowledge on HTML, JavaScript is required

Hardware/software Requirements

  • Laptop with several browsers installed (MSIE, Edge, Firefox and Chrome)


What previous students had to say about this training :

"Pure enjoyment for all 3 days."

"XXS Nirvana"

"The best ever offensive web application security training"

Trainer Biography


Dr.-Ing. Mario Heiderich, Director of Cure53, handsome heart-breaker, bon-vivant and (as he loves to call himself) “security researcher” is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various capitalist conferences with powerpoint-slides and profanities. Wherever Mario goes, bad weather and thunderstorms follow him. Doctors worldwide are clueless about this extraordinary condition of his.

300px-twitter-icon.jpg @0x6D6172696F

Links :

Mon. 2 - 4 October 2017 (09:00 - 17:00) (3-day) - Novotel Ghent Centrum


Back to Training Overview