Awesome browser security

A curated list of awesome browser security learning material.

0. Scoping philosophy

The overarching goal of this document is to provide a list of materials to consume to get a good understanding of browser security.

Contributions are welcome. Please file one PR per change.

In scope

• Security of the browser product.
• Web security issues involving a browser.

Out of scope

• Web privacy issues.
• Server-side web security issues.

Preferred sources

• High-quality, in-depth introductory materials.
• Source materials.
• Important research papers.
• Docs available online for free.

1. General introductions

• Chromium security website - lots of useful documents that will paint you a good picture of this highly nuanced domain.
• The Security Architecture of the Chromium Browser (2008).
• Chrome University (2019) - YT playlist of introductory talks on various aspects of Chromium development. Talks on security, browser's anatomy, mojo, and browser's process are must-have.
• Web Browser Engineering by Pavel Panchekha & Chris Harrelson.
• High Performance Browser Networking (2013) by Ilya Grigorik - free book on browser networking.
• The Tangled Web (2011) by Michal Zalewski - a bit dated, but still mostly relevant.
• The Web Application Hacker's Handbook (2011) by Dafydd Stuttard - dated, but interesting.

Security assessments

Publicly available security assessments of browsers.

• Cure53 Browser Security White Paper (2017) by Cure53.
• X41 Browser Security White Paper (2017) by X41 D-Sec.

Key concepts

Formal definitions, known issues, state-of-the-art.

• Public Suffix List (PSL) - what PSL is and what are its known use cases.
• Public Suffix List Problems (2019) by Ryan Sleevi - excellent article on why PSL should be discontinued.
• [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, DOI 10.17487/RFC6454, December 2011, https://www.rfc-editor.org/info/rfc6454.
• [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, DOI 10.17487/RFC6265, April 2011, https://www.rfc-editor.org/info/rfc6265.
• [RFC6265bis] Chen, L., Englehardt, S., West, M., Wilander, J., "Cookies: HTTP State Management Mechanism", https://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc6265bis/.
• HTTP State Tokens - interesting statement on the tragedy of cookies and how it could be solved.

2. Security challenges and corresponding mitigations

Memory safety

Root cause for ~70% of browser's bugs.

• Introduction to Chromium's memory safety.
• V8 Sandbox - External Pointer Sandboxing (2022) - new hardening measures for V8.
• MiraclePtr One Pager (2021).
• MiraclePtr The UaF Slayer [BlinkOn 16] (2022).
• Retrofitting Temporal Memory Safety on C++ (2022).

Spectre

How Spectre affected browser's security.

• Chromium's Post-Spectre Threat Model Re-Think.
• What Spectre and Meltdown Mean For WebKit by Filip Pizlo.
• Post-Spectre Web Development, W3C First Public Working Draft, 16 March 2021.
• A Spectre-shaped Web by Anne van Kesteren.
• CORB.

Transport security

Mitigating active and passive network attackers.

• Certificate Transparency in Google Chrome: Past, Present, and Future (2021).
• Mixed content, W3C Candidate Recommendation Draft, 4 October 2021.
• Subresource Integrity, W3C Recommendation 23 June 2016.
• Upgrade Insecure Requests, W3C Candidate Recommendation, 8 October 2015.

Cross Site Scripting (XSS)

Attacks on the integrity of JavaScript code.

• Cross-site scripting - good introduction to the problem.
• Content Security Policy 1.0, W3C Working Group Note 19 February 2015.
• Content Security Policy Level 2, W3C Recommendation, 15 December 2016.
• Trusted Types, Editor’s Draft, 1 June 2022.
• HTML Sanitizer API, Draft Community Group Report, 13 July 2022.

Cross Site Request Forgery (CSRF)

Abusing cookie-based session management to forge requests.

• Cross-site request forgery (CSRF) - good introduction to the problem.
• [RFC6265bis] Chen, L., Englehardt, S., West, M., Wilander, J., "Cookies: HTTP State Management Mechanism", https://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc6265bis/ - particularly section on SameSite attribute.

Cross Site Leaks (XS-Leaks)

Using side channels to leak bits of data cross-site.

• xsleaks.dev - one stop shop for XS-Leaks.
• COOP and COEP sections in the HTML Living Standard.
• XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers.
• Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript.

Extensions

Security of the extension ecosystem.

• An Evaluation of the Google Chrome Extension Security Architecture (2012).
• Cursed Chrome - a Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies. By using the proxies this tool creates you can browse the web authenticated as your victim for all of their websites.

URL bar security

Users must know which website is displayed.

• Internationalized Domain Names (IDN) in Google Chrome.

Private Network Access

Abusing browsers to attack private networks.

• Private Network Access, Draft Community Group Report, 23 February 2022.
• How to win at CORS (2021) by Jake Archibald.

3. Attacks on browsers

Fuzzing and browser exploitation.

• OffensiveCon22 - Samuel Gross and Amanda Burnett - Attacking JavaScript Engines in 2022 (2022).
• Browser security YT playlist by Fuzzing Labs - Patrick Ventuzelo.
• In-the-Wild Series: Chrome Exploits (2021) by Sergei Glazunov.
• Awesome browser exploit (last update 2020) - collection of various materials on browser exploitation.

4. Misc

• Web Application Security Working Group's repo.

5. Contributors

• Diego Porras.