Michał Bentkowski (@SecurityMB) 🦻

@[email protected]
598 Followers
92 Following
84 Posts
Information security engineer at Google. Opinions are mine.
Personal websitehttps://bentkowski.info
Twitterhttps://twitter.com/SecurityMB
Michał Bentkowski (@SecurityMB) 🦻Jun 27, 2025

Google CTF is on! Here's a challenge that I created:
* https://capturetheflag.withgoogle.com/challenges/web-lost-in-transliteration.

Good luck 😀

Google CTF

Michał Bentkowski (@SecurityMB) 🦻Jun 24, 2025
Tom SchusterJun 24, 2025

Firefox 140 just shipped, which means Firefox will now escape less-than (<) and greater-than (>) symbols when serializing HTML attributes.

HTML spec change:
https://github.com/whatwg/html/issues/6235

Firefox release notes:
https://www.mozilla.org/en-US/firefox/140.0/releasenotes/

Escape "<" and ">" in attributes when serializing HTML · Issue #6235 · whatwg/html

I'm submitting this issue after a short discussion on Twitter with @zcorpan today. I think we should change the rules of escaping a string in attribute mode, and also escape < and > to < and &gt...

GitHub
Michał Bentkowski (@SecurityMB) 🦻Jun 12, 2025

Today we published two blog posts about an HTML specification change that makes mutation XSS harder to exploit! Long story short: `<` and `>` are now escaped in attributes.

* Blog post about security rationale behind this change: https://bughunters.google.com/blog/5038742869770240/escaping-and-in-attributes-how-it-helps-protect-against-mutation-xss
* Blog post about how it affects web developers: https://developer.chrome.com/blog/escape-attributes?hl=en

Blog: Escaping '<' and '>' in attributes – How it helps protect against mutation XSS

The HTML specification has been updated to escape '<' and '>' in attributes to prevent mutation XSS (mXSS) vulnerabilities. This post details the reasoning behind this change and explains why this update improves security.

Michał Bentkowski (@SecurityMB) 🦻Aug 12, 2023

So I'm starting a Youtube Channel 😄 Join me today at 19:00 CEST (in other words: in three hours) when I'll talk about 10 highlights from my bug hunting career:

https://www.youtube.com/watch?v=utz3SHitxf0

10 Higlights From My Bug Hunting Career (and opening my YouTube channel)

Come say "hello" on the first video on my YouTube Channel where I will talk about 10 highlights from my bug hunting career!

YouTube
Michał Bentkowski (@SecurityMB) 🦻Feb 11, 2023
My Twitter account BugsChromium is now also on Mastodon. You can follow @bugschromium if you wanna be up-to-date on Chromium disclosed bugs 😃
Michał Bentkowski (@SecurityMB) 🦻Feb 7, 2023
@jerry are you okay with bots registered on this instance? I'd like to create an equivalent of https://twitter.com/BugsChromium here.
Chromium Disclosed Security Bugs (@BugsChromium) / Twitter

Tweets publicly disclosed bugs in Chromium. Not affiliated with Google. Run by @SecurityMB. Website: https://t.co/G14BFMBI40

Twitter
Michał Bentkowski (@SecurityMB) 🦻Jan 8, 2023
I must say I'm pretty excited 😁
Show threadMichał Bentkowski (@SecurityMB) 🦻Dec 27, 2022
I just added the side-by-side generation of DOM trees. You can test it on parser called "iframe (with scripts vs without scripts)".
Michał Bentkowski (@SecurityMB) 🦻Dec 26, 2022

For people who use my LiveDOM++ tool. I decided to create a new version of it here: https://livedom.bentkowski.info/

While currently there aren't really any new features compared to the previous version, I'm planning to add some new ones in the next few days, such as the ability to generate two DOM trees side by side.

Also, the source is now open: https://github.com/securityMB/livedom

LiveDOM NG

Michał Bentkowski (@SecurityMB) 🦻Dec 21, 2022
daniel:// stenberg://Dec 21, 2022
The 2022 #curl #security audit https://daniel.haxx.se/blog/2022/12/21/the-2022-curl-security-audit/
The 2022 curl security audit | daniel.haxx.se