Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
This 30-minute Black Hat conference talk explores why server-side HTML sanitization is fundamentally flawed despite its widespread use in preventing cross-site scripting (XSS) vulnerabilities. Dive into the technical challenges of HTML sanitization, where sanitizers must parse input, identify and remove dangerous elements, and then serialize the transformed content back to text. Learn how the complexity of HTML parsing, with its numerous edge cases and browser-specific quirks, creates inherent weaknesses in sanitizers. Discover MutaGen, a framework that generates HTML fragments specifically designed to exploit parsing differentials—differences in how various parsers interpret the same HTML. See how testing against 11 popular server-side HTML sanitizers revealed that all use deficient parsers, with researchers successfully bypassing all but two through these parsing differentials. Presented by David Klein, Researcher at Technische Universität Braunschweig, this talk demonstrates how seemingly simple HTML can create significant security vulnerabilities in widely-deployed sanitization systems.
