Remote training

XSS Academy

Learn how to find and defend against Cross-Site Scripting issues in modern web applications

Conducted by Michał Bentkowski

, well-known researcher of client-side security


The training is conducted by a well-known client-side security researcher, Michał Bentkowski (@SecurityMB), who’s known for being Google 0x0A top bug hunters list for a few years as well for bypassing popular HTML sanitizers. In this training Michał delves into XSS (Cross-Site Scripting) issues in modern web applications. Even though XSS is known since the 1990s, and many protection mechanisms have been figured out since then, the attack is still prevalent in 2020 making many apps vulnerable.

The training starts with the basics, such as getting to know the effects of XSS and learning how to prepare your own payloads, moving to more advanced topics like Prototype Pollution or ways to break WAFs, sanitizers, filters or Content-Security-Policy. Michał also shows his arsenal of tricks on how to effectively find XSS using less known DevTools features.

The training will not give you one universal XSS payload to rule them all. But it will give you the right mindset to craft these payloads by yourself. In addition, it is packed with challenges, access to which is active up to three months after the training.

Also, this training covers only modern browsers. No outdated Internet Explorer; only stuff that works in newest Chrome/Edge, Firefox or Safari.

While the training is focused mostly on presenting attack techniques, defence mechanisms are discussed at the end of all topics.

So if you are a bug hunter or security tester and want to increase your knowledge of where XSS vulnerabilities may occur; or, on the other hand, you are a developer and use modern JS frameworks, or your application accepts HTML from the end-user and you're sanitizing it - the training is for you. You will learn how applications can be attacked as well as what steps can be taken to minimize the risk of these attacks.


We are aware that attending live training courses for people who have hearing loss or have problems understanding spoken English can be a huge hurdle. To accomodate, we use a training platform that generates a live transcription (closed captions) of the trainer's words.

Who should attend...

Security engineers / testers

To improve your skills in finding and exploiting XSS vulnerabilities


To understand where XSS can occur in the applications and how to defend against them

Technical people

If you simply love learning technical stuff, this training will let you learn a large amount of interesting browser features, HTML parsers and JavaScript


Day 1

  1. Basics
    1. Same Origin Policy
    2. Concept of sources and sinks
    3. Effects of XSS
  2. HTML parsing and serialization
    1. General rules of HTML parsing and serialization
    2. Foreign content
    3. Special parsing of certain HTML elements
    4. Mutation XSS
  3. XSS contexts
    1. Typical XSS contexts
    2. Approach for exploiting XSS in typical contexts
    3. Preparing XSS polyglot
  4. Breaking parsers, sanitizers and WAFs
    1. How sanitizers work
    2. Approach for breaking sanitizers
    3. How WAFs work
    4. Breaking WAFs
    5. Useful JavaScript syntax features
  5. Content Security Policy (CSP)
    1. Basic of CSP
    2. CSP bypasses
    3. Finding script gadgets
  6. Prototype pollution
    1. Explanation of prototype-based inheritance
    2. Root causes of prototype pollution
    3. Sinks and sources of prototype pollution (with examples on popular libraries)

Day 2

  1. Popular JavaScript libraries and how they affect security
    1. AngularJS (1.x)
    2. Angular (2+)
    3. Knockout
    4. React
    5. Polymer
  2. DevTools
    1. Using power of DevTools to identify sources and sinks of XSS
    2. Abusing Trusted Types as a means to find XSS
  3. Blind XSS
    1. Identifying blind XSS
    2. Preparing exploit for blind XSS
  4. DOM Clobbering
    1. Basics of DOM Clobbering
    2. Effects of DOM Clobbering on modern applications
  5. Copy&Paste XSS
    1. Root cause of copy&paste XSS
    2. Copy&paste XSS in WYSIWYG editors
  6. Self-XSS
    1. What is "self-XSS"
    2. Turning self-XSS into a “real” XSS

Training day schedule

09:00 - 12:00 - training session
12:00 - 13:00 - lunch break
13:00 - 18:00 - training session

Each session consists of 10-minute break roughly every 90 minutes. The time zone for each session is specified in the registration form.

Student requirements

  • Basic HTML and JavaScript knowledge - needed to understand concepts discussed in the training

  • Modern browsers installed - preferable both Chrome/Edge and Firefox (also Safari for macOS users)

  • Working headset and stable internet connection - to participate in the training

After training

  • Perpetual access to presentation

  • Three-month access to challenges from the training

  • Access to a private Discord channel with all training participants


Michał Bentkowski (@SecurityMB)

Pentester, training instructor and researcher of client-side security issues

Since 2013 he has been working for Securitum - a company based in Poland that specializes in security audits as well as trainings. On a daily basis, Michał focuses on testing the security of web and mobile applications. In his spare time, though, he turns his attention to the world of browsers, and tries to deepen his understanding of how they exactly work and where security issues may await.

Michał is known for his writeups, which he initially shared on his private blog but then moved to Most of these writeups describe either bugs found in Google web applications (for which he had been in the top ten list for several years) or bugs in browsers and sanitizers. Here’s a selection of a few well-received writeups:

Since 2015, Michał has been an active training instructor. He's been conducting two web application security trainings in Polish as well as training aimed to frontend developers. In 2019 alone he delivered over 600 hours of trainings.

If you wish to watch Michał in action, check the videos below!

Sign Up

If you are interested in participating in our remote training "XSS Academy", please fill in the form below. If you wish to organize a closed training for your organization, please contact us

  • For the first 15 participants, the price is 997 EUR net (+23% VAT)

  • Regular price is 1449 EUR net (+23% VAT)