Google CTF is on! Here's a challenge that I created:
* https://capturetheflag.withgoogle.com/challenges/web-lost-in-transliteration.
Good luck 😀
| Personal website | https://bentkowski.info |
| https://twitter.com/SecurityMB |
Michał Bentkowski (@SecurityMB) 🦻
- 598 Followers
- 92 Following
- 84 Posts
Information security engineer at Google. Opinions are mine.
Tom SchusterFirefox 140 just shipped, which means Firefox will now escape less-than (<) and greater-than (>) symbols when serializing HTML attributes.
HTML spec change:
https://github.com/whatwg/html/issues/6235
Firefox release notes:
https://www.mozilla.org/en-US/firefox/140.0/releasenotes/
@zcorpan Do you think we should create a spec issue for this? Or would a Chromium bug be enough for now? I'd just like to discuss some details before implementing the use counters. Those places seems more appropriate for that than Mastodon 😅
@zcorpan I think we'd have to ensure consistency for all tags, including `<xmp>` for example, right?
I assume we'd need to add some use counters first. My intuition is that we'd have to check whether tags such as <script> or <style> in non-HTML namespaces have non-text-nodes as children. Is there something else?
Today we published two blog posts about an HTML specification change that makes mutation XSS harder to exploit! Long story short: `<` and `>` are now escaped in attributes.
* Blog post about security rationale behind this change: https://bughunters.google.com/blog/5038742869770240/escaping-and-in-attributes-how-it-helps-protect-against-mutation-xss
* Blog post about how it affects web developers: https://developer.chrome.com/blog/escape-attributes?hl=en
Blog: Escaping '<' and '>' in attributes – How it helps protect against mutation XSS
The HTML specification has been updated to escape '<' and '>' in attributes to prevent mutation XSS (mXSS) vulnerabilities. This post details the reasoning behind this change and explains why this update improves security.
@cure53 Thanks for confirmation, that makes sense!
I'm curious: the change is currently only implemented in Chromium (although other browsers should follow soon). Wouldn't this still be a bug in the app in other browsers? (Unless the escaping is done server-side).
@freddy Yes, https://livedom.bentkowski.info is the new canonical URL. I don't have any control over the old URL anymore.
So I'm starting a Youtube Channel 😄 Join me today at 19:00 CEST (in other words: in three hours) when I'll talk about 10 highlights from my bug hunting career:
