From reporting self-XSSes to improving browser security mechanisms - Michał Bentkowski
Sep 6, 2023
auto_awesome
Michał Bentkowski, specializes in crazy XSS bugs and now works on improving security of the browsers at Google. They discuss bug prevention efforts, browser updates and serialization issues, transitioning from simple bugs to complex ones, analyzing client-side issues, the discovery of ARP spoofing, the value of diverse backgrounds, prototype pollution in bug bounties, and their plans for a YouTube channel and client-side HTML sanitization.
Michal Bentkowski transitioned from bug reporter to focusing on preventing and mitigating vulnerabilities in browsers at Google.
By updating browser specifications, Michal's team ensures the safety of users regardless of individual application support.
Michal emphasizes the importance of staying updated with browser changes and following relevant people on Twitter to identify new vulnerabilities and features.
Deep dives
Transition from Bug Reporting to Improving Browser Security
The podcast episode features Michal Benkofsky, a cybersecurity expert who started his career as a bug reporter and eventually transitioned to working at Google to improve browser security mechanisms. Michal shares his background and journey, explaining how he shifted from finding vulnerabilities to focusing on preventing and mitigating them. He discusses his work at Google in the Information and Security Engineering team, where he strives to prevent various bug classes in web platforms by making changes to specifications and browser implementations. The podcast highlights the significance of browser updates and the instant impact they have on enhancing security across various applications.
Working on Bug Classes and Bug Prevention
Michal discusses his role in the Information and Security Engineering team at Google, specifically focusing on preventing bug classes in web platforms. His team aims to make changes in specifications and browser implementations to enhance security without requiring developers to make modifications to individual applications. By updating browser specifications, they ensure the safety of users regardless of whether or not the application is actively supported. Michal emphasizes the importance of these changes and how they can annoy attackers who rely on specific vulnerabilities. He also highlights the challenge of breaking backward compatibility while making these improvements.
Exploration of Mutation XSS and Related Vulnerabilities
Michal discusses his current focus on preventing mutation access and other vulnerabilities like serialization issues. He explains the root causes of mutation access and the challenges in serializing attributes and style tags safely in HTML. Michal shares insights into the risks associated with serialization discrepancies and the potential for exploitability. He discusses the complexities of analyzing the usage and impact of changes, especially due to the high percentage of certain practices. Additionally, he mentions the importance of feedback and testing for experimental web platform features to ensure compatibility and identify potential security risks.
Transitioning to Advanced Bug Hunting
The podcast episode discusses the transition from hunting simple bugs to more advanced exercises. The speaker shares that their bug-hunting career initially involved finding many applications using Google hacking. However, when they ran out of ideas, they started delving deeper into known applications, particularly through the motivation of research grants offered by Google. This shift led them to understand the inner workings of applications, their transformation and processing of inputs, and the sources of bugs. The speaker emphasizes that the transition to advanced bug hunting came with experience and a desire for more interesting challenges.
Approach and Tools for Bug Hunting
In this segment, the podcast explores the speaker's bug-hunting approach and the tools they use. They rely on dynamic analysis and prefer using the DevTools in Chromium for client-side issues. The speaker mentions using scripts and browser extensions to automate certain tasks, such as type-based JavaScript deobfuscation. They also mention using breakpoints, conditional breakpoints, and logpoints in the DevTools to debug and understand the code. Additionally, the speaker highlights the use of frameworks like Puppeteer for controlling Chromium when dealing with annoying application behavior. They also mention the importance of staying updated with changes in browsers, following relevant people on Twitter, and identifying official documentation or tweets that introduce new features or vulnerabilities.
