awesome-browser-exploit

Share some useful archives about browser exploitation.

I'm just starting to collect what I can found, and I'm only a starter in this area as well. Contributions are welcome.

Chrome v8

Basic

• v8 github mirror(docs within)[github]
• on-stack replacement in v8[article] // multiple articles can be found within
• A tour of V8: Garbage Collection[article]
• A tour of V8: object representation[article]
• v8 fast properties[article]
• learning v8[github]
• Intro to Chrome’s V8 from an exploit development angle[article]
• Introduction to TurboFan[article]
• V8 / Chrome Architecture Reading List - For Vulnerability Researchers

Writeup and Exploit Tech

• Mobile Pwn2Own Autumn 2013 - Chrome on Android - Exploit Writeup[article]
• Exploiting a V8 OOB write[article]
• Pointer Compression in V8[article]
• Exploiting the Math.expm1 typing bug in V8[article]
• Exploiting an Accidentally Discovered V8 RCE
• Escaping the Chrome Sandbox via an IndexedDB Race Condition[article]
• Exploiting CVE-2020-0041 - Part 1: Escaping the Chrome Sandbox[article]
• Cleanly Escaping the Chrome Sandbox[article]
• Escaping the Chrome Sandbox with RIDL[article]
• You Won't Believe what this One Line Change Did to the Chrome Sandbox[article]

IE

Basic

• Microsoft Edge MemGC Internals[slides]
• The ECMA and the Chakra[slides]

Writeup and Exploit Tech

• 2012 - Memory Corruption Exploitation In Internet Explorer[slides]
• 2013 - IE 0day Analysis And Exploit[slides]
• 2014 - Write Once, Pwn Anywhere[slides]
• 2014 - The Art of Leaks: The Return of Heap Feng Shui[slides]
• 2014 - IE 11 0day & Windows 8.1 Exploit[slides]
• 2014 - IE11 Sandbox Escapes Presentation[slides]
• 2015 - Spartan 0day & Exploit[slides]
• 2015 - 浏览器漏洞攻防对抗的艺术 Art of browser Vulnerability attack and defense (Chinese)[slides]
• 2016 - Look Mom, I don't use Shellcode[slides]
• 2016 - Windows 10 x64 edge 0day and exploit[slides]
• 2017 - 1-Day Browser & Kernel Exploitation[slides]
• 2017 - The Secret of ChakraCore: 10 Ways to Go Beyond the Edge[slides]
• 2017 - From Out of Memory to Remote Code Executio[slides]
• 2018 - Edge Inline Segment Use After Free (Chinese)

Mitigation

• 2017 - CROSS THE WALL-BYPASS ALL MODERN MITIGATIONS OF MICROSOFT EDGE[slides]
• Browser security mitigations against memory corruption vulnerabilities[references]
• Browsers and app specific security mitigation (Russian) part 1[article]
• Browsers and app specific security mitigation (Russian) part 2[article]
• Browsers and app specific security mitigation (Russian) part 3[article]

JSC

Basic

• JSC loves ES6[article] // multiple articles can be found within
• JavaScriptCore, the WebKit JS implementation[article]
• saelo's Pwn2Own 2018 Safari + macOS[exploit]
• WebKit & JSC Architecture Reading List - For Vulnerability Researchers

Writeup and Exploit Tech

• Attacking WebKit Applications by exploiting memory corruption bugs[slides]
• Vulnerability Discovery Against Apple Safari[article]
• A Methodical Approach to Browser Exploitation - six part blog[article]
• Adventures on Hunting for Safari Sandbox Escapes[video]
• JITSploitation I: A JIT Bug[article]
• JITSploitation II: Getting Read/Write[article]
• JITSploitation III: Subverting Control Flow[article]

Firefox

Basic

• SpiderMonkey Internals[article]
• JavaScript:New to SpiderMonkey[article]

Writeup and Exploit Tech

• CVE-2018-5129: Out-of-bounds write with malformed IPC messages[article]
• Firefox Spidermonkey JS Engine Exploitation[article]

Misc

Browser Basic

• Sea of Nodes[articles] // multiple articles can be found within
• LiveOverflow Browser Exploit Series[articles]
• Demystifying Browsers[articles]

Fuzzing

• The Power-Of Pair[slides]
• Browser Fuzzing[slides]
• Taking Browsers Fuzzing To The Next (DOM) Level[slides]
• DOM fuzzer - domato[github]
• browser fuzzing framework - morph[github]
• browser fuzzing and crash management framework - grinder[github]
• Browser Fuzzing with a Twist[slides]
• Browser fuzzing - peach[wiki]
• 从零开始学Fuzzing系列：浏览器挖掘框架Morph诞生记 Learn Fuzzing from Very Start: the Birth of Browser Vulnerability Detection Framework Morph(Chinese)[article]
• BROWSER FUZZING IN 2014:David vs Goliath[slides]
• A Review of Fuzzing Tools and Methods[article]

Writeup and Exploit Tech

• it-sec catalog browser exploitation chapter[articles]
• 2014 - Smashing The Browser: From Vulnerability Discovery To Exploit[slides]
• smash the browser[github]

Collections

• uxss-db
• js-vuln-db

Thanks

• 0x9a82
• swing
• Metnew
• AlirezaChegini
• RobertLarsen