I have to explicitly mention that I really enjoyed all the talks that I visited, not only the talks summarized here.
Disclaimer: On the first day, I was visiting only the HackPra talks. This is because our institute is the organizer of HackPra (http://nds.rub.de/teaching/hackpra/), our company (www.3curity.de) partially supported this event...and there was free beer from GData.
Mario Heiderich: Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-application XSSMy first favourite talk was presented by Mario (heart-breaker, bon-vivant and security researcher from Berlin, see here for more superfluous descriptions http://owaspappseceurope2015.sched.org/speaker/mario_heiderich.1tmieewz). People, who already met Mario, probably know that he always presents some crazy XSS stuff. This was also the case for AppSec.
In his talk, Mario presented what can go wrong when you copy your texts from rich text editors or office documents and paste them directly to your browser, for example to your gmail client. In that case, the browser gets not only the text, but accepts also addition style descriptions and elements. And these styles are usually described by some parsable language, e.g. XML.
One example gives us Open Office that stores the styles in a styles.xml document: