Lukas Weichselbaum
Lukas Weichselbaum is a Staff Information Security Engineer at Google with 10+ years of industry experience who frequently speaks at international infosec and developer conferences.
He's passionate about securing Web applications from common Web vulnerabilities and leads the Google-wide CSP adoption effort. Lukas also co-authored the CSP3 W3C specification and launched CSP Evaluator, a tool for developers and security experts to check if a Content Security Policy serves as a strong mitigation against XSS attacks.
Before joining Google, Lukas worked as a Security Consultant and graduated from Vienna University of Technology in Austria where he researched dynamic analysis of Android malware and founded Andrubis - one of the very first large scale malware analysis platforms for Android applications.
He's passionate about securing Web applications from common Web vulnerabilities and leads the Google-wide CSP adoption effort. Lukas also co-authored the CSP3 W3C specification and launched CSP Evaluator, a tool for developers and security experts to check if a Content Security Policy serves as a strong mitigation against XSS attacks.
Before joining Google, Lukas worked as a Security Consultant and graduated from Vienna University of Technology in Austria where he researched dynamic analysis of Android malware and founded Andrubis - one of the very first large scale malware analysis platforms for Android applications.
Research Areas
Authored Publications
Google Publications
Other Publications
Sort By
Preview abstract
Intelligent Tracking Prevention (ITP) is a privacy mechanism implemented by Apple’s Safari browser, released in October 2017. ITP aims to reduce the cross-site tracking of web users by limiting the capabilities of cookies and other website data.
As part of a routine security review, the Information Security Engineering team at Google has identified multiple security and privacy issues in Safari’s ITP design. These issues have a number of unexpected consequences, including the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks (including cross-site search).
This report is a modestly expanded version of our original vulnerability submission to Apple (WebKit bug #201319), providing additional context and edited for clarity. A number of the issues discussed here have been addressed in Safari 13.0.4 and iOS 13.3, released in December 2019.
View details
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy
Artur Janc
Proceedings of the 23rd ACM Conference on Computer and Communications Security, ACM, Vienna, Austria (2016)
Preview abstract
Content Security Policy is a web platform mechanism designed to mitigate cross-site scripting (XSS), the top security vulnerability in modern web applications. In this paper, we take a closer look at the practical benefits of adopting CSP and identify significant flaws in real-world deployments that result in bypasses in 94.72% of all distinct policies.
We base our Internet-wide analysis on a search engine corpus of approximately 100 billion pages from over 1 billion hostnames; the result covers CSP deployments on 1,680,867 hosts with 26,011 unique CSP policies – the most comprehensive study to date. We introduce the security-relevant aspects of the CSP specification and provide an in-depth analysis of its threat model, focusing on XSS protections. We identify three common classes of CSP bypasses and explain how they subvert the security of a policy.
We then turn to a quantitative analysis of policies deployed on the Internet in order to understand their security benefits. We observe that 14 out of the 15 domains most commonly whitelisted for loading scripts contain unsafe endpoints; as a consequence, 75.81% of distinct policies use script whitelists that allow attackers to bypass CSP. In total, we find that 94.68% of policies that attempt to limit script execution are ineffective, and that 99.34% of hosts with CSP use policies that offer no benefit against XSS.
Finally, we propose the ’strict-dynamic’ keyword, an addition to the specification that facilitates the creation of policies based on cryptographic nonces, without relying on domain whitelists. We discuss our experience deploying such a nonce-based policy in a complex application and provide guidance to web authors for improving their policies.
View details
No Results Found
