RuhrSec 2025 | Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials

Описание: RuhrSec is the annual English speaking IT security conference with cutting-edge security talks by renowned experts. RuhrSec is organized by Hackmanit.
🔽 More information …

———

Talk // Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials

Abstract //  In this talk, we will delve into why this is the case. To remove XSS payloads, an HTML sanitizer must first parse its input. Then, it determines which parts of the input are dangerous and removes or rewrites them. Lastly, it serializes the transformed input back to its textual form and returns it. This process means a sanitizer is only as strong as the employed HTML parser. Despite HTML looking deceptively simple, implementing an HTML parser is surprisingly complex. While officially specified, parsing HTML has tons of edge cases and quirks. Sanitizers have to implement all of them, effectively mimicking the exact behavior of a browser. Even if a developer pulls off this nontrivial feat, additional pitfalls lie in the differences in behavior between browsers.This talk will show how sanitizers deployed by millions of people fall well short of these goals and are easily bypassable.

We will present MutaGen, a framework that generates HTML fragments prone to abuse parsing implementation differences, so-called parsing differentials. When evaluating the generated fragments on 11 server-side HTML sanitizers, we found that all use deficient parsers. In benign cases, this means the sanitizer mangles harmless input. However, by abusing such parsing differentials we could automatically bypass all but two of them.

———

Biography // David is a PhD candidate at the Institute for Application Security at Technische Universität Braunschweig under the supervision of Martin Johns. His research focus mainly lies in the area of Web Security. However, he's also passionate about privacy and making applications more private and secure through runtime enforcement techniques. He's actively participating in the open source community, maintaining the research browser "Project Foxhound" and the JVM taint engine "Project Fontus". His works have been presented at leading academic conferences (IEEE S&P, Usenix Security, ACM CCS, IEEE EuroS&P, ACSAC, PETS, ...) as well as non-academic venues, e.g., Black Hat EU, RuhrSec, IT Defense, OWASP AppSec SFO, German OWASP Day.

Speaker //
David Klein
GitHub – https://github.com/leeN
Linkedin –   / leinea  
Mastodon – https://chaos.social/@leeN
X–   / ncd_leen  

➡️ Slides - Download
https://www.ruhrsec.de/downloads/slid...

———

🚀 Subscribe to Our Channel:
   / @hackmanit-it-security  

👉 Read More About Interesting It Security Topics on Our Blog:
https://hackmanit.de/en/blog-en

✍️ Want a Deeper Dive
Training courses in Single Sign-On (OAuth, OpenID Connect, and SAML), Secure Web Development, TLS, and Web Services are available here:
https://hackmanit.de/en/training/port...

———

🌍 RuhrSec Conference Website: https://www.ruhrsec.de
🌍 Visit Our Website - Hackmanit: https://hackmanit.de/en

✖️ Follow RuhrSec on X:   / ruhrsec  
✖️ Follow Hackmanit on X:   / hackmanit  

✔ Follow RuhrSec on Linkedin:   / ruhrsec  
✔ Follow Hackmanit on Linkedin:   / hackmanit  

Follow Hackmanit on XING: https://www.xing.com/pages/hackmanitgmbh

———

Thanks for your attention and support. Stay secure. 🫶



#xss #html #parsing #mutagen #framework #hacking #RuhrSec #itsecurity #itsicherheit #cybersecurity #cybersicherheit