Browsers security
A browser works like a modern operating system and has its own library, memory model etc...
JavascriptCore
- Phrack's paper .:: Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622 ::.
- CVE-2017-2446 or JSC::JSGlobalObject::isHavingABadTime
- Patch Gapping a Safari Type Confusion
- JITSploitation I: A JIT Bug
- JITSploitation II: Getting Read/Write
- THIS IS FOR THE PWNERS: EXPLOITING A WEBKIT 0-DAY IN PLAYSTATION
- Some Brief Notes on WebKit Heap Hardening
- Step-by-Step Walkthrough of CVE-2022-32792 - WebKit B3ReduceStrength Out-of-Bounds Write
- Exploiting WebKit JSPropertyNameEnumerator Out-of-Bounds Read (CVE-2021-1789)
V8
- Exploiting Logic Bugs in JavaScript JIT Engines by saelo on Phrack
- Intro to Chrome’s V8 from an exploit development angle
- Geluchat/chrome_v8_exploit A collection of 1days and solutions to challenges related to v8/chrome I developed
- Exploiting the Math.expm1 typing bug in V8
- Modern attacks on the Chrome browser : optimizations and deoptimizations
- ELECTRIC CHROME - CVE-2020-6418 on Tesla Model 3
- V8 Exploitation Series
- Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463
SpiderMonkey
- Exploiting CVE-2019-17026 - A Firefox JIT Bug
- BUT YOU TOLD ME YOU WERE SAFE: ATTACKING THE MOZILLA FIREFOX RENDERER (PART 1)
Links
- browsersploit is an advanced browser exploit pack for doing internal and external pentesting, helping gaining access to internal computers.
- malware jail Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js
- phoenhex.re pwning WebKit related browsers
- Learning browser exploitation via 33C3 CTF feuerfuchs challenge
- Timeless Debugging of Complex Software - Root Cause Analysis of a Non-Deterministic JavaScriptCore Bug
- Introduction to SpiderMonkey exploitation
- CVE-2019-0539 Exploitation. Microsoft Edge Chakra JIT Type Confusion
- Writeup for CVE-2019-11707
- saelo/3_years_of_attacking_javascript_engines.txt
- Cleanly Escaping the Chrome Sandbox