Trainer Name: Dr.-Ing. Mario Heiderich

Title: Web- & Browser-Security Roundhouse-Kick

Duration: 3 Days

Dates: Sept. 6, 2022 To Sept. 8, 2022

Training Objectives

This 3-day training session, derived from the mighty 7-day coursework at Ruhr-University in Bochum, aims to teach attendees about the most relevant parts of modern web security, from server-side layers all the way up to the browser and the DOM.

Starting at HTTP and the very basics, looking at HTTP Request Smuggling, understanding Cookies, simple and then more advanced injection techniques, and more, the trainer will guide the attendees through a journey covering all that is relevant in the realm of web penetration-testing, securing applications and spotting issues that others might just overlook.

Training level: Basic; Intermediate; Advanced

Training outline

Three days are not a long time for a complex and broad topic like this one, and it depends on many factors on how many topics can be covered.

We'll have the following items on our web security tasting menu and hope to look into as many as possible:

Chapter 1: His­to­ry & Ba­sics

  • The His­to­ry of Web Se­cu­ri­ty and Web At­tacks
  • The His­to­ry of Brow­sers
  • HTML, Ja­va­Script, CSS

Chapter 2: HTTP, Ser­ver, SQLi

  • At­tacks using HTTP and SSL/TLS
  • SQL In­jec­tions
  • Uploads
  • SSRF, XXE & XEE

Chapter 3: Cook­ies, Ses­si­ons, XSS

  • Cook­ies & Ses­si­ons
  • Same Ori­gin Po­li­cy
  • Au­then­ti­ca­ti­on & Autho­riza­t­i­on
  • The Ba­sics of Cross-Si­te Script­ing

Chapter 4: Ad­van­ced XSS

  • Ad­van­ced XSS
  • mXSS and DOM Mu­ta­ti­ons

Chapter 5: Brow­sers & Bey­ond

  • The DOM
  • DOM Clob­be­ring & DOM XSS
  • postM­es­sa­ge XSS

What to Bring?

A working laptop would really be helpful, ideally with software such as Burp or Fiddler preinstalled. The course can be enjoyed without, but it would be sad to miss out on the hands-on exercises.

Training prerequisites:

HTML, CSS, JavaScript as well as HTTP should ring a bell, no expertise is required but basic levels of understanding are helpful for sure.

Who Should Attend?

Penetration-Testers, Developers, SecDevOps, and everyone who aims to work hands-on in Web- and Browser-Security.

What to Expect?

A trainer who is certainly top-notch marriage material (his own words) but sadly no longer on the market. In addition, practical and useful knowledge from someone who has conducted and managed hundreds of pen tests in the past years.

What attendees will get?

All slides and helpful material. Access to those via GitHub, including a ticket-tracker for questions after the training. Hands-on exercises via PortSwigger's legendary Web Security Academy.

What not to Expect?

The course will be derived from a University lecture, so expect a ratio of 80% lectures and 20% hands-on. Don't expect knowledge about 0-days or secret intel, this course is about learning, understanding, and applying the gained knowledge reasonably.

About the Trainer

Great looks, athletic posture, melodic voice, latest-trend fashion, and a tiny bit of knowledge about web security and penetration testing.