< NULLCON Goa - 2026 />

About the Speaker

CFP Day Zero Registration Training Speakers Sponsors Venue
GO BACK
img
Ashish Kataria
Security Architect Engineer Synacor Inc.

< Talk Title />

The Hidden Cost of Sanitization: How Secure Parsing Can Introduce New XSS Attack Surfaces

< Talk Category />

Technical Speaker

< Talk Abstract />

Input sanitization is treated as a safety net for untrusted HTML, yet modern applications rely heavily on third-party parsers and custom filtering rules without fully understanding their side effects. My research demonstrates that sanitization itself can introduce new XSS attack surfaces not from bypassing the sanitizer, but from unintended behavioral logic created by sanitization rules.

This talk presents real case studies where mature enterprise collaboration platforms became vulnerable to XSS not because sanitization was missing, but because sanitization logic unintentionally created execution paths. Defensive rules designed to strip or rewrite unsafe patterns modified CSS/HTML in such a way that payloads that were originally inert became browser-interpretable and led to DOM-based execution. In other words, the platform’s security layer converted unexploitable markup into exploitable markup.

 

The session will explore:

  • Why reliance on sanitizers has become a systemic security blind spot
  • How HTML/CSS parsing quirks + regex-based rules create exploitable behavior
  • Payload crafting techniques to exploit sanitizer-induced transformations
  • Why conventional XSS testing fails to catch this vulnerability class
  • Practical methodology for discovering similar flaws in any platform
  • Design principles for “safe sanitization pipelines” to avoid these pitfalls


The takeaway is clear: sanitization errors aren’t mistakes users make - they are mistakes defenders make. If an attacker can predict how the sanitizer will rewrite content, they can turn a “blocked” payload into a valid XSS vector. This class of vulnerability affects any web application or SaaS product that inserts, transforms, or filters user-supplied HTML and it is only beginning to surface.
 

< Speaker Bio />

Ashish Kataria is a Security Architect at Synacor with extensive experience in securing large-scale collaboration platforms, cloud-based messaging systems, and enterprise web applications. His work spans offensive research, secure architecture design, and mitigation of high-impact vulnerabilities across production environments. Ashish’s core interest lies in identifying security flaws rooted in design assumptions especially cases where defensive mechanisms accidentally introduce new exploit surfaces. He actively collaborates with product teams and security researchers to drive secure-by-design engineering across the ecosystem.