Browser-pwn
Include CVE vulnerability analyze, ctf pwn and documents for Browser-pwn
awesome-browser-exploit
https://github.com/Escapingbug/awesome-browser-exploit
谷歌安全团队每季度更新的动态
https://www.chromium.org/Home/chromium-security/quarterly-updates
漏洞分析
AST Injection, Prototype Pollution to RCE
https://blog.p6.is/AST-Injection/
P0 浏览器漏洞分析:
https://googleprojectzero.blogspot.com/p/rca-cve-2019-13720.html
chrome的堆利用:
https://blog.infosectcbr.com.au/2020/03/heap-exploitation-in-chromes.html
Jscript之殇:谈谈两年来的4个Jscript 0day
https://mp.weixin.qq.com/s/r2eBmMRAg_c1ytxPMFUAgQ
18年天府杯RCE:
https://bugs.chromium.org/p/chromium/issues/detail?id=906043
CVE-2019-5782: Inappropriate implementation in V8 漏洞利用
https://www.sunxiaokong.xyz/2020-02-25/lzx-cve-2019-5782/
https://gtoad.github.io/2019/09/01/V8-CVE-2019-5782/
firefox pwn 入门 - CVE-2019-11707 复现笔记
https://www.anquanke.com/post/id/206558
Chrome 浏览器 textbook UAF 漏洞的利用方法分析
https://securitylab.github.com/research/CVE-2020-6449-exploit-chrome-uaf
INVERTING YOUR ASSUMPTIONS: A GUIDE TO JIT COMPARISONS
https://www.thezdi.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons
Actions Speak Browser Than Words (Exploiting n-days for fun and profit) - Max Van Amerongen
https://www.youtube.com/watch?v=L7aiFKDg0Jk
CVE-2020-16009: v8 新 0day
https://chromium.googlesource.com/v8/v8.git/+/3ba21a17ce2f26b015cc29adc473812247472776%5E%21/#F3
https://cxsecurity.com/issue/WLB-2020110122
v8 issue2106 map deprecation相关漏洞
https://bugs.chromium.org/p/project-zero/issues/detail?id=2106
谷歌收集的2020年在野0day信息文档
v8 CVE-2020-16013漏洞commit:
https://github.com/v8/v8/commit/633f67caa6d0a126487a489c240ed86a59b2b291
Issue 1104608: Security: LdaNamedProperty is generated for typed_array["4294967295"], which causes wrong inline cache and OOB access
https://bugs.chromium.org/p/chromium/issues/detail?id=1104608
A tour of fuzzing in Chromium:
https://www.youtube.com/watch?v=NI2w6eT8p-E
CTF chrome pwn
0CTF 2020 Chromium SBX
PlaidCTF 2020 mojo :
https://www.anquanke.com/post/id/209800
https://pwnfirstsear.ch/2020/04/20/plaidctf2020-mojo.html
https://trungnguyen1909.github.io/blog/post/PlaidCTF2020/pwn.js
ductf2020 pwn-or-web v8 challenge writeup
https://seb-sec.github.io/2020/09/28/ductf2020-pwn-or-web.html
v8相关资料
https://github.com/ray-cp/browser_pwn 相关环境下载
http://phrack.org/papers/attacking_javascript_engines.html
https://www.youtube.com/watch?v=5tEdSoZ3mmE&list=PLhixgUqwRTjwufDsT1ntgOY9yjZgg5H_t
https://www.youtube.com/watch?v=lZnaaUoHPhs
https://wasdk.github.io/WasmFiddle/ 在线将c语言转成wasm码
https://denolib.github.io/v8-docs/ *v8 api文档,网站:
https://es6.ruanyifeng.com/#docs/iterator JavaScript说明文档
https://bugs.chromium.org/p/chromium/issues/list 查找chrome v8漏洞
https://chromium.googlesource.com/chromium/src/out/ 官方版本下载,利用git checkout 切换
攻击JavaScript引擎:
http://phrack.org/papers/attacking_javascript_engines.html
https://googleprojectzero.blogspot.com/2019/05/trashing-flow-of-data.html?m=1
https://www.synacktiv.com/en/publications/binder-analysis-and-exploitation-of-cve-2020-0041.html
https://github.com/inexorabletash/polyfill polyfill
http://www.jayconrod.com/posts/55/a-tour-of-v8-garbage-collection v8的垃圾回收机制
turbofan 介绍:
https://doar-e.github.io/blog/2019/01/28/introduction-to-turbofan/
Elements kinds in V8:
https://v8.dev/blog/elements-kinds
Elements kinds in V8
https://v8.dev/blog/elements-kinds
v8 中文分析文章(知乎专栏)
https://zhuanlan.zhihu.com/v8core
V8 脚本引擎 Slack Tracking 机制的介绍
https://v8.dev/blog/slack-tracking
Chromium 浏览器的本地数据加密机制分析
https://textslashplain.com/2020/09/28/local-data-encryption-in-chromium/
Chrome V8让你更懂JavaScript
https://mp.weixin.qq.com/s/E-c9gsk-kxIwnwY4R5z_3Q
v8中WebAssembly编译过程分析
https://v8.dev/docs/wasm-compilation-pipeline
对chrome中Site Isolation实现的分析
https://microsoftedge.github.io/edgevr/posts/deep-dive-into-site-isolation-part-1/
v8 cve-2020-16013 commit
https://github.com/v8/v8/commit/27900f17b845b8881d8328ef70b1bccba8984bbc
Modern attacks on the Chrome browser : optimizations and deoptimizations
v8的gef插件,可以更好的支持指针压缩
https://gist.github.com/lordidiot/1580ddc3474d8f017f2f7972a69727d2
An Introduction to Speculative Optimization in V8
https://ponyfoo.com/articles/an-introduction-to-speculative-optimization-in-v8
沙箱逃逸
沙箱逃逸资料搜集:
https://github.com/De4dCr0w/chrome-sbx-db
如何绕过JSC最新缓解措施并逃逸Safari沙箱
https://zhuanlan.zhihu.com/p/96069221
https://bugs.chromium.org/p/project-zero/issues/detail?id=1649
https://www.cc.gatech.edu/~hzhao336/
chrome 沙箱逃逸
利用ridl 进行沙箱逃逸:
https://googleprojectzero.blogspot.com/2020/02/escaping-chrome-sandbox-with-ridl.html
https://www.youtube.com/watch?v=ugZzQvXUTIk
Escape Analysis in V8 with Tobias Tebbi
https://www.youtube.com/watch?v=KiWEWLwQ3oI
博客搜集
https://github.com/lcatro/my-blog/tree/master/2017/diff_note
https://zhuanlan.zhihu.com/potat0Cat
http://couplee.wang/wnagzihxa1n.html
https://eternalsakura13.com/categories/%E6%B5%8F%E8%A7%88%E5%99%A8/
工具
Chromium IPC Sniffer - 有研究员开发了一个监控 Chromium 浏览器命名管道通信消息的工具
https://github.com/tomer8007/chromium-ipc-sniffer
在线浮点数转换:
http://www.binaryconvert.com/convert_double.html#
Fuzzing
https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/README.md
Reproducing libFuzzer and AFL crashes:
https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md
JSC 相关资料
基础知识及环境搭建:https://www.anquanke.com/post/id/183804
https://mp.weixin.qq.com/s/pGvnLJouphJqxQ2zPDAcUw
http://turingh.github.io/2016/12/03/CVE-2016-4622%E8%B0%83%E8%AF%95%E7%AC%94%E8%AE%B0/
https://eternalsakura13.com/2018/04/19/js_crash_debug/
http://phrack.org/papers/attacking_javascript_engines.html
Thinking outside the JIT Compiler: Understanding and bypassing StructureID Randomization with generic and old-school methods:
All About JavaScriptCore’s Many Compilers
http://www.filpizlo.com/slides/pizlo-splash2018-jsc-compiler-slides.pdf
WEBKIT JAVASCRIPTCORE的特殊调试技巧:
JavaScript engine fundamentals: Shapes and Inline Caches
https://mathiasbynens.be/notes/shapes-ics
WebKit Exploitation
Attacking Client-Side JIT Compilers (v2) Samuel Groß (@5aelo)
https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf
Just-in-time Compiler in JavaScriptCore - browser 0x03
https://liveoverflow.com/just-in-time-compiler-in-javascriptcore-browser-0x03/
webkit中引入了更强的JIT-Caging机制:
https://github.com/WebKit/webkit/commit/2ffeeff4dfb86a74ae695dea8671fccc423559ad https://trac.webkit.org/search?q=JIT-caging
JavaScriptCore Internals Part I: Tracing JavaScript Source to Bytecode
https://zon8.re/posts/jsc-internals-part1-tracing-js-source-to-bytecode/
WebKit浏览器中的存在多个安全漏洞:
Speculation in JavaScriptCore
https://webkit.org/blog/10308/speculation-in-javascriptcore/
A few JSC tales
https://iokit.racing/jsctales.pdf
火狐浏览器漏洞研究
Firefox Vulnerability Research:https://blog.exodusintel.com/2020/10/20/firefox-vulnerability-research/
利用 Firefox 浏览器 WebAssembly 的漏洞实现 content process 的代码执行
http://blog.exodusintel.com/2020/11/10/firefox-vulnerability-research-part-2/
maxpl0it关于IE以及Firefox n day的利用过程分析:
https://www.youtube.com/watch?v=L7aiFKDg0Jk
firfox漏洞研究文章系列第二篇
https://blog.exodusintel.com/2020/11/10/firefox-vulnerability-research-part-2/
Edge 漏洞研究
https://microsoftedge.github.io/edgevr/posts/Introducing-Edge-Vulnerability-Research/
Edge 浏览器 Site Isolation 保护机制分析
https://microsoftedge.github.io/edgevr/posts/deep-dive-into-site-isolation-part-1/
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent