Skip to content

Browsers security

A browser works like a modern operating system and has its own library, memory model etc...

JavascriptCore

Phrack's paper .:: Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622 ::.
CVE-2017-2446 or JSC::JSGlobalObject::isHavingABadTime
Patch Gapping a Safari Type Confusion
JITSploitation I: A JIT Bug
JITSploitation II: Getting Read/Write
THIS IS FOR THE PWNERS: EXPLOITING A WEBKIT 0-DAY IN PLAYSTATION
Some Brief Notes on WebKit Heap Hardening
Step-by-Step Walkthrough of CVE-2022-32792 - WebKit B3ReduceStrength Out-of-Bounds Write
Exploiting WebKit JSPropertyNameEnumerator Out-of-Bounds Read (CVE-2021-1789)

V8

Exploiting Logic Bugs in JavaScript JIT Engines by saelo on Phrack
Intro to Chrome’s V8 from an exploit development angle
Geluchat/chrome_v8_exploit A collection of 1days and solutions to challenges related to v8/chrome I developed
Exploiting the Math.expm1 typing bug in V8
Modern attacks on the Chrome browser : optimizations and deoptimizations
ELECTRIC CHROME - CVE-2020-6418 on Tesla Model 3
V8 Exploitation Series
Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463

SpiderMonkey

Links

browsersploit is an advanced browser exploit pack for doing internal and external pentesting, helping gaining access to internal computers.
malware jail Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js
phoenhex.re pwning WebKit related browsers
Learning browser exploitation via 33C3 CTF feuerfuchs challenge
Timeless Debugging of Complex Software - Root Cause Analysis of a Non-Deterministic JavaScriptCore Bug
Introduction to SpiderMonkey exploitation
CVE-2019-0539 Exploitation. Microsoft Edge Chakra JIT Type Confusion
Writeup for CVE-2019-11707
saelo/3_years_of_attacking_javascript_engines.txt
Cleanly Escaping the Chrome Sandbox