Conducted by Michał Bentkowski
, well-known researcher of client-side security
Examples on "live applications", substantive answers to questions, the formula: "theory, demonstration, exercise, demonstration, summary" makes remembering very easy.
I'm impressed - I sat during the training as if it were a good movie. A great combination of exercises and theory - perfect proprtions.
"Real time" - examples written live instead of being hardcoded into presentations. Good atmosphere, interesting examples and the bug bounty stories.
The training is conducted by a well-known client-side security researcher, Michał Bentkowski (@SecurityMB), who’s known for being Google 0x0A top bug hunters list for a few years as well for bypassing popular HTML sanitizers. In this training Michał delves into XSS (Cross-Site Scripting) issues in modern web applications. Even though XSS is known since the 1990s, and many protection mechanisms have been figured out since then, the attack is still prevalent in 2020 making many apps vulnerable.
The training starts with the basics, such as getting to know the effects of XSS and learning how to prepare your own payloads, moving to more advanced topics like Prototype Pollution or ways to break WAFs, sanitizers, filters or Content-Security-Policy. Michał also shows his arsenal of tricks on how to effectively find XSS using less known DevTools features.
The training will not give you one universal XSS payload to rule them all. But it will give you the right mindset to craft these payloads by yourself. In addition, it is packed with challenges, access to which is active up to three months after the training.
Also, this training covers only modern browsers. No outdated Internet Explorer; only stuff that works in newest Chrome/Edge, Firefox or Safari.
While the training is focused mostly on presenting attack techniques, defence mechanisms are discussed at the end of all topics.
So if you are a bug hunter or security tester and want to increase your knowledge of where XSS vulnerabilities may occur; or, on the other hand, you are a developer and use modern JS frameworks, or your application accepts HTML from the end-user and you're sanitizing it - the training is for you. You will learn how applications can be attacked as well as what steps can be taken to minimize the risk of these attacks.
We are aware that attending live training courses for people who have hearing loss or have problems understanding spoken English can be a huge hurdle. To accomodate, we use a training platform that generates a live transcription (closed captions) of the trainer's words.
To improve your skills in finding and exploiting XSS vulnerabilities
To understand where XSS can occur in the applications and how to defend against them
09:00 - 12:00 - training session
12:00 - 13:00 - lunch break
13:00 - 18:00 - training session
Each session consists of 10-minute break roughly every 90 minutes. The time zone for each session is specified in the registration form.
Modern browsers installed - preferable both Chrome/Edge and Firefox (also Safari for macOS users)
Working headset and stable internet connection - to participate in the training
Perpetual access to presentation
Three-month access to challenges from the training
Access to a private Discord channel with all training participants
Since 2013 he has been working for Securitum - a company based in Poland that specializes in security audits as well as trainings. On a daily basis, Michał focuses on testing the security of web and mobile applications. In his spare time, though, he turns his attention to the world of browsers, and tries to deepen his understanding of how they exactly work and where security issues may await.
Michał is known for his writeups, which he initially shared on his private blog but then moved to research.securitum.com. Most of these writeups describe either bugs found in Google web applications (for which he had been in the top ten list for several years) or bugs in browsers and sanitizers. Here’s a selection of a few well-received writeups:
Since 2015, Michał has been an active training instructor. He's been conducting two web application security trainings in Polish as well as training aimed to frontend developers. In 2019 alone he delivered over 600 hours of trainings.
If you wish to watch Michał in action, check the videos below!
If you are interested in participating in our remote training "XSS Academy", please fill in the form below. If you wish to organize a closed training for your organization, please contact us