Lukas Weichselbaum
@webappsec.dev
Leading Google's web security team.
Passionate about web security and making secure-by-default web development the norm. Contributed to web platfom security features like CSP, Fetch Metadata, COOP and Trusted Types.
Passionate about web security and making secure-by-default web development the norm. Contributed to web platfom security features like CSP, Fetch Metadata, COOP and Trusted Types.
great list! if you steel have free slots, I'd be grateful to be added as well. I post/blog mostly about web security. Latest: bughunters.google.com/blog/6644316...
Blog: Secure by Design: Google's Blueprint for a High-Assurance Web Framework
Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.
bughunters.google.com
February 4, 2025 at 10:25 AM
great list! if you steel have free slots, I'd be grateful to be added as well. I post/blog mostly about web security. Latest: bughunters.google.com/blog/6644316...
I haven't looked into MITRE's methodology, but at Google we're using "domain tiers": bughunters.google.com/blog/4562175...
On TIER0 domains a critical vulnerability (e.g. XSS or authorization bypass) could lead to a full compromise of a user's account or execution of code on their or a cloud system.
On TIER0 domains a critical vulnerability (e.g. XSS or authorization bypass) could lead to a full compromise of a user's account or execution of code on their or a cloud system.
Blog: Externalizing the Google Domain Tiers Concept
Do you want to know more about the concept of domain tiers, understand how they are applied at Google, and view a list of Google's highest sensitivity domains? Take a look at this blog post to find ou...
bughunters.google.com
December 2, 2024 at 11:28 PM
I haven't looked into MITRE's methodology, but at Google we're using "domain tiers": bughunters.google.com/blog/4562175...
On TIER0 domains a critical vulnerability (e.g. XSS or authorization bypass) could lead to a full compromise of a user's account or execution of code on their or a cloud system.
On TIER0 domains a critical vulnerability (e.g. XSS or authorization bypass) could lead to a full compromise of a user's account or execution of code on their or a cloud system.
If you still have a spot, I'd love to get added. I write about web security, web platform security features and safe by design principles
November 26, 2024 at 9:22 PM
If you still have a spot, I'd love to get added. I write about web security, web platform security features and safe by design principles
These are all good points. One way to get good visibility into XSS issues on sensitive services is via bug bounty programs.
At least this worked very well for us.
Also CSP was a part of our approach of mitigating XSS at scale. See page 7: static.googleusercontent.com/media/public...
At least this worked very well for us.
Also CSP was a part of our approach of mitigating XSS at scale. See page 7: static.googleusercontent.com/media/public...
static.googleusercontent.com
November 26, 2024 at 9:13 PM
These are all good points. One way to get good visibility into XSS issues on sensitive services is via bug bounty programs.
At least this worked very well for us.
Also CSP was a part of our approach of mitigating XSS at scale. See page 7: static.googleusercontent.com/media/public...
At least this worked very well for us.
Also CSP was a part of our approach of mitigating XSS at scale. See page 7: static.googleusercontent.com/media/public...
Yes, this works (and imho the only approach that works at scale). See page 7 of Google's secure by design whitepaper: static.googleusercontent.com/media/public...
static.googleusercontent.com
November 26, 2024 at 9:10 PM
Yes, this works (and imho the only approach that works at scale). See page 7 of Google's secure by design whitepaper: static.googleusercontent.com/media/public...
Unfortunately, the only way to make this work right now is by adding 'strict-dynamic' to your CSP. This an issue that comes up frequently, but we haven't so far been able to come up with an elegant way to this address this in the web platform.
cc: @mikewe.st @arturjanc.bsky.social
cc: @mikewe.st @arturjanc.bsky.social
November 26, 2024 at 6:40 PM
Unfortunately, the only way to make this work right now is by adding 'strict-dynamic' to your CSP. This an issue that comes up frequently, but we haven't so far been able to come up with an elegant way to this address this in the web platform.
cc: @mikewe.st @arturjanc.bsky.social
cc: @mikewe.st @arturjanc.bsky.social
Sure, added! Please add me to your Swiss Cyber Security package as well, I've been in CH since more than 10 years now =)
bsky.app/starter-pack...
bsky.app/starter-pack...
November 25, 2024 at 2:22 PM
Sure, added! Please add me to your Swiss Cyber Security package as well, I've been in CH since more than 10 years now =)
bsky.app/starter-pack...
bsky.app/starter-pack...
Must have been quite a journey! Congrats!
November 24, 2024 at 7:52 PM
Must have been quite a journey! Congrats!
Of course! Added! So great that you're here too
November 24, 2024 at 7:38 PM
Of course! Added! So great that you're here too