Lukas Weichselbaum's Avatar

Lukas Weichselbaum

@webappsec.dev

Leading Google's web security team. Passionate about web security and making secure-by-default web development the norm. Contributed to web platfom security features like CSP, Fetch Metadata, COOP and Trusted Types.

2,358
Followers 673
Following 55
Posts 18.11.2023
Joined
Posts Following

Latest posts by Lukas Weichselbaum @webappsec.dev

One of my teams at Google, π—”π—œ π—”π—΄π—²π—»π˜ π—¦π—²π—°π˜‚π—Ώπ—Άπ˜π˜†, is expanding in π—­π˜‚π—Ώπ—Άπ—°π—΅ πŸ‡¨πŸ‡­and π—‘π—²π˜„ 𝗬𝗼𝗿𝗸 πŸ‡ΊπŸ‡Έ. We're looking for π—¦π—²π—°π˜‚π—Ώπ—Άπ˜π˜† π—˜π—»π—΄π—Άπ—»π—²π—²π—Ώπ˜€ with experience in attacking and securing AI/ML systems. DMs open.

09.04.2025 18:45 πŸ‘ 5 πŸ” 3 πŸ’¬ 1 πŸ“Œ 0
Release Notes for Safari Technology PreviewΒ 215 Safari Technology Preview Release 215 is now available for download for macOS Sequoia and macOS Sonoma.

Safari Tech Preview 215: Added support for Trusted Types πŸŽ‰

webkit.org/blog/16523/r...

18.03.2025 17:40 πŸ‘ 9 πŸ” 1 πŸ’¬ 0 πŸ“Œ 1
Preview
Security Signals: Making Web Security Posture Measurable At Scale

Excited to present Security Signals with @ddworken.bsky.social and @webappsec.dev, my primary project at Google for the past five years. Thanks, @madwebwork.bsky.social!

Paper: research.google/pubs/securit...
Slides: speakerdeck.com/mikispag/sec...

01.03.2025 07:51 πŸ‘ 12 πŸ” 4 πŸ’¬ 0 πŸ“Œ 1
Preview
Blog: Secure by Design: Google's Blueprint for a High-Assurance Web Framework Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.

Building secure web apps shouldn't be a burden. We've built a high-assurance web framework at Google that makes security easy for developers. Learn about our "Secure by Design" approach and how it works in our new blog post:
bughunters.google.com/blog/6644316...

cc: @ddworken.bsky.social

04.02.2025 09:57 πŸ‘ 18 πŸ” 5 πŸ’¬ 0 πŸ“Œ 1

Thank you!

04.02.2025 10:38 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Blog: Secure by Design: Google's Blueprint for a High-Assurance Web Framework Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.

great list! if you steel have free slots, I'd be grateful to be added as well. I post/blog mostly about web security. Latest: bughunters.google.com/blog/6644316...

04.02.2025 10:25 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Blog: Secure by Design: Google's Blueprint for a High-Assurance Web Framework Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.

Building secure web apps shouldn't be a burden. We've built a high-assurance web framework at Google that makes security easy for developers. Learn about our "Secure by Design" approach and how it works in our new blog post:
bughunters.google.com/blog/6644316...

cc: @ddworken.bsky.social

04.02.2025 09:57 πŸ‘ 18 πŸ” 5 πŸ’¬ 0 πŸ“Œ 1

Deserved!

26.01.2025 18:19 πŸ‘ 3 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Added! πŸš€

04.12.2024 22:36 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Blog: The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!) The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog pos...

The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!)

bughunters.google.com/blog/6355265...

04.12.2024 18:24 πŸ‘ 6 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Preview
Blog: Externalizing the Google Domain Tiers Concept Do you want to know more about the concept of domain tiers, understand how they are applied at Google, and view a list of Google's highest sensitivity domains? Take a look at this blog post to find ou...

I haven't looked into MITRE's methodology, but at Google we're using "domain tiers": bughunters.google.com/blog/4562175...
On TIER0 domains a critical vulnerability (e.g. XSS or authorization bypass) could lead to a full compromise of a user's account or execution of code on their or a cloud system.

02.12.2024 23:28 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Modern solutions against cross-site attacks Modern solutions against cross-site attacks

Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.

27.11.2024 07:50 πŸ‘ 34 πŸ” 19 πŸ’¬ 0 πŸ“Œ 1

Welcome @shhnjk.bsky.social πŸŽ‰

26.11.2024 21:26 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Thank you πŸ™

26.11.2024 21:24 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

This is my #IT, #Infosec, and #Cybersecurity starter pack.
There’s plenty of room if some people want to be added too. But here are some feeds and people I recommend following

go.bsky.app/QYMa3yN

26.11.2024 21:19 πŸ‘ 18 πŸ” 4 πŸ’¬ 4 πŸ“Œ 0

If you still have a spot, I'd love to get added. I write about web security, web platform security features and safe by design principles

26.11.2024 21:22 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

These are all good points. One way to get good visibility into XSS issues on sensitive services is via bug bounty programs.
At least this worked very well for us.
Also CSP was a part of our approach of mitigating XSS at scale. See page 7: static.googleusercontent.com/media/public...

26.11.2024 21:13 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

Yes, this works (and imho the only approach that works at scale). See page 7 of Google's secure by design whitepaper: static.googleusercontent.com/media/public...

26.11.2024 21:10 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Cross-Site Scripting: 2024's Most Dangerous Software In addition to XSS, MITRE and CISA's 2024 list of the 25 most dangerous security vulnerability types (CWEs) also flagged out-of-bounds write, SQL injection, CSRF, and path traversal.

MITRE: Cross-Site Scripting Is 2024's Most Dangerous Software Weakness

www.darkreading.com/application-...

26.11.2024 19:43 πŸ‘ 6 πŸ” 0 πŸ’¬ 5 πŸ“Œ 0

Unfortunately, the only way to make this work right now is by adding 'strict-dynamic' to your CSP. This an issue that comes up frequently, but we haven't so far been able to come up with an elegant way to this address this in the web platform.

cc: @mikewe.st @arturjanc.bsky.social

26.11.2024 18:40 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Sure, added! Please add me to your Swiss Cyber Security package as well, I've been in CH since more than 10 years now =)

bsky.app/starter-pack...

25.11.2024 14:22 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

Must have been quite a journey! Congrats!

24.11.2024 19:52 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Of course! Added! So great that you're here too

24.11.2024 19:38 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

Mamma mia!

23.11.2024 19:39 πŸ‘ 3 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
facebook error

facebook error

netflix error

netflix error

okta error

okta error

whatsapp error

whatsapp error

Handling Cookies is a Minefield:

Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.

grayduck.mn/2024/11/21/h...

21.11.2024 17:11 πŸ‘ 168 πŸ” 53 πŸ’¬ 12 πŸ“Œ 8

Congratulations, this is amazing!
Since you asked, our Google CSP/Reporting API collector currently processes ~3.5B reports per day. That's for CSP, COOP, Trusted Types, and custom reporting.
It has enabled us to truly scale up deployment of web platform security features across Google in a safe way

22.11.2024 15:14 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

βœ‹ web security & web platform security features nerd and in a hate/love relationship with CSP (it's complicated)

21.11.2024 21:47 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Check out @j-opdenakker.bsky.social starter pack too: go.bsky.app/HDnVb6K

21.11.2024 08:29 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

absolutely! Added =)

21.11.2024 07:49 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Welcome Eduardo πŸ₯³
Added you to the starter pack

21.11.2024 07:47 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0