2026-06-04 –, Track 2
A wifi network name that roots your router. A TLS certificate field that takes over hosting accounts. A DNS response that lets you disrupt an ISP's routing. Often these do not get the same scrutiny as a URL parameter or a form field.
DNS debug tools, TLS checkers, network measurement platforms, and router admin interfaces all consume data from protocol fields that were never designed for a browser. Many do not treat that data as untrusted input. When these tools share a trust boundary with something critical, that oversight has consequences.
This talk presents a systematic exploration of injection vulnerabilities across DNS, TLS, HTTP, WHOIS, IRR, wifi, and radio protocol fields, and traces what happens when they reach sensitive systems. The findings range from full account takeover on hosting customer portals to persistent root access on OpenWRT routers. At the more alarming end: disrupting an ISP's routing via a single non-suspicious link to their network admin. None of it required exotic techniques. The payloads are textbook XSS. Their locations and the escalations are not.
The individual vulnerabilities are numerous, but they aren't the most interesting part. The pattern is: protocol field data is routinely excluded from the security model of the tools that render it. The same mistake, in slightly different form, showed up independently across hosting providers, internet registries, and router firmware, built by independent teams with no shared code.
This talk starts mildly entertaining and gets progressively less so.
Sasha Romijn is an independent developer from Amsterdam, specialising in open
source internet infrastructure and internet standards. She maintains essential
internet routing registry software, co-authored several IETF drafts in that
space, maintains internet.nl, and co-chairs a RIPE working group. For fun, Sasha
does cursed things with networks, dabbles in security now and then, and recently
discovered what can happen when you also put marquee tags in everything.