Browser Exploitation

This is a collection of curated resources I use for research. I found myself pinning tabs - this is to prevent that. My goal is not to repeat information in other repositories, unless I visit them quite often.

./cve contains all my written N-day exploits. Exploits from other authors are explicity credited in the respective README.

Chrome

• Chromium Source
• Chromium Issues
• Case Study: Chrome Sandbox Escapes

v8

• v8 Source
• v8 Issues
• v8 Harvest
• Ignition Opcodes (Interpreter)
• Turbofan Opcodes (Compiler)

Mitigations

• Site Isolation
• PartitionAlloc
• W^X JIT pages

Sandbox Documentation

• Windows
• Linux
• macOS

Tooling

• Turbolizer (Only works with Chrome)
• OmahaProxy

Safari

• Webkit source mirror
• bugmap
• Webkit Security Issues
• APRR explained (iOS) by siguza

JavaScriptCore

• JSC Issues
• B3 docs
• Rust FFI bindings to JSC
• Contemporary JavaScriptCore Exploitation by qwertyoruiop of kjc research

Mitigations

• Gigacage
• Isoheaps
• isoheap management (bmalloc)
• PACCage schema
• ArrayBuffer CagedPtr
• GigaUnCager PoC
• WebCore sandbox profile pulled from macOS 10.15.6 (19G2021)

Firefox

• SpiderMonkey docs
• SpiderMonkey hg source (mercurial)
• SpiderMoney git source (github)
• IonMonkey hg source (mercurial)
• IonMonkey git source (github)
• Gecko Core Security Issues
• IonMonkey Issues
• jandem blog

Mitigations

• W^X JIT pages

Other Repos

• browser-pwn
• awesome-browser-exploit
• JS-Vuln-DB
• saelo blog
• pwn.js
• js-test-suite (ChakraCore, SpiderMonkey, V8, JavaScriptCore)

Fuzzing

• Fuzzilli
• DIE
• fuzzinator
• Nautilus 2.0
• Superion
• libfuzzer-js
• domato
• dharma
• CRScope
• Recently Published

Tooling

Grammar:

• Personal collection
• Picireny Minimizer
• ANTLR v4 Grammars
• SWC: TS,JS -> JS
• Babel: JS -> JS

LSP:

• rtags
• vim-rtags
• dynamorio
• rr
• diaphora