Mario Heiderich
Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than, leads the small yet exquisite pen-test company called Cure53 and pesters peaceful attendees on various 5th tier conferences with his hastily assembled powerpoint-slides.
Talk
XSS is dead? It's 2019 and we still don't get it.
XSS is more than twenty years old by now and appears to still be alive
and kicking. JavaScript alerts are popping left and right on a daily
basis and bug bounty programs are drowning in submissions.
And that is all despite our great efforts to get rid of this
vulnerability class from each and every thinkable angle. What didn't we
try to solve it. No?
This talk will be an hour-long rant, paired with a stroll through the
history of XSS and related issues. We will go back into the year 1998
and see how it all started, how things developed, what we tried to do
against it and how hard we failed every single time. We will also look
at the future and predict what is about to happen next.
..more
Mostly nothing - but at least that's good to know, right?
We will not only look at our own failures but also see how the entire
infrastructure and monetization of the web contributed to us being
simply not capable or even just willing to fix XSS. And we might as well
see if any of those behavioral and structural patterns can be compared
to other human failures - and see if there is something we all can
learn.
One year ago, this talk was presented for the first time and boy, people
were angry afterwards! Let's see where we arrived by now and if we can
manage to trigger them again.
Workshop
OFFENSIVE HTML, SVG, CSS AND OTHER BROWSER-EVIL
More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ES6, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there's not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are "so nineties" in this realm. And keeping up the pace with progress is getting harder and harder.
But there is hope. The focus of this workshop is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We'll learn how to attack any web-application with either unknown legacy features - or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES6 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps - we have that covered.
..more
Whoever works with or against the security of modern web applications will enjoy and benefit from this workshop. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally.
HTML is a living standard. And so is this workshop. Course material will be provided on-site and via access to a private Github repo so all attendees will be receive updated material even months after the actual training.
Course Outline:
First Segment
- The very Basics
- HTTP / Encoding
- Character Sets
- CSRF en detail
- Cross Site-Scripting
- DOM Clobbering
- Drag & Drop / Copy & Paste
- DOMXSS
- Legacy Features
Second Segment
- HTML5 Attacks & Vectors
- SVG
- XML
- Mutation XSS / mXSS
- Scriptless Attacks
- SOP Bypasses
- Filter Bypasses
- Optimizing your Payload