31/01/2024 01:28 Мануал/Книга - Подборка материалов по фаззингу и эксплуатации уязвимостей в JS-движках | XSS.
is (ex DaMaGeLaB)
~/
ЛЕНТА ПОЛЬЗОВАТЕЛИ FAQ РЕКЛАМ
XSS.is
Покупаю доступы
Обработка SEED фраз, логов и Privat key
AudiA6: Миксер + Обменник
Underground Уязвимости в ПО / Эксплойтинг
Подборка материалов по фаззингу и
Мануал/Книга
эксплуатации уязвимостей в JS-движках
weaver · 24.08.2020 · exploit-development fuzzing js-engines vulnerability
Отслеживать
24.08.2020 #1
В «Руководстве для неспециалистов по инженерии нулевого дня»
Маркус и Эми из Ret2Systems подчеркнули важность создания
собственной библиотеки закладок по литературе по безопасности
weaver
и архитектуре для цели, под которую вы хотите писать эксплойты.
31 c0 bb ea 1b e6 77 66 b8
88 13 50 ff d3 Мы всегда серьезно относились к этому моменту и некоторое
Модератор
время поддерживаем наш собственный список закладок в Trello.
Регистрация: 19.12.2018
Сегодня мы публикуем этот список для всеобщего ознакомления.
Сообщения: 1 529
Решения: 2 Хотите узнать, как взломать браузеры и в частности, JavaScript-
Реакции: 2 310 движки? Путешествуете и у вас есть время для чтения?
Посмотрите эти выступления с конференций или прочтите эти
статьи, чтобы узнать больше об исследованиях и эксплуатации
уязвимостей браузера.
Видео
Attacking Client Side JIT Compilers - Samuel Groß - Black Hat
USA 2018 - This talk explains what are JIT compilers, and what
types of bugs can occur in them. Saelo uses his Pwn2Own bugs
as a case study.
Attacking Client Side JIT Compilers BlackHat USA 2011 - Many
of the components discussed have are outdated but never the
less this is worth a watch.
Black Hat USA 2018 - WebAssembly A New World of Native
Exploits on the Browser
https://xss.is/threads/41262/ 1/7
�31/01/2024 01:28 Мануал/Книга - Подборка материалов по фаззингу и эксплуатации уязвимостей в JS-движках | XSS.is (ex DaMaGeLaB)
OffensiveCon19 - Samuel Groß - FuzzIL: Guided Fuzzing for
JavaScript Engines - Samuel Groß - OffensiveCon19
Modern Source Fuzzing - Ned Williamson - OffensiveCon19
FuzzIL: Guided Fuzzing for JavaScript Engines - Samuel Groß -
OffensiveCon19
35C3 - The Layman’s Guide to Zero-Day Engineering - The Ret2
team discuss the engineering process behind a zero-day that
was used to exploit Apple Safari at PWN2OWN 2018.
Fuzzing Javascript Engines for Fun and Pwnage - Areum Lee &
Jeonghoon Shin
Exploring the Safari Just In Time Exploitation - Jasiel Spelman -
TenSec 2018 - Jasiel Spelman (ZDI) presents the latest research
in JIT exploitation.
Attacking Chrome IPC
OffensiveCon19 - Niklas Baumstark - IPC You Outside the
Sandbox: One bug to Rule the Chrome Broker
35C3 - From Zero to Zero Day
Browser Exploitation - Max Zinkus - Whitehat
2017 LLVM Developers’ Meeting: K. Serebryany “Structure-
aware fuzzing for Clang and LLVM with …” - Not specifically
about browser exploitation, this talk discusses the concept of
structure aware fuzzing, which can be useful when fuzzing JS
engines.
The ECMA And The Chakra - Natalie Silvanovich
Attacking ECMAScript Engines With Redefinition
$Hell on Earth: From Browser to System Compromise
A tale of Chakra bugs through the years - By bkth
The Secret Of Chakracore: 10 Ways To Go Beyond The Edge -
Linan Hao and Long Liu - HITB 2017
Browser Fuzzing with a Twist (and a Shake) - Jeremy Brown —
Zeronights 2015
The Power of Pair: One Template that Reveals 100+ UAF IE
Vulnerabilities
The State Of Web Browsers Vs DOM Fuzzing In 2017 - Ivan
Fratric - FSec2017
Forget the Sandbox Escape: Abusing Browsers from Code
Execution - Amy Burnett Bluehat IL 2020
Adventures on Hunting for Safari Sandbox Escapes - Ki Chan
Ahn - OffensiveCon 2020
Статьи
A Methodical Approach to Browser Exploitation
Vulnerability Discovery Against Apple Safari
Timeless Debugging of Complex Software
Weaponization of a JavaScriptCore Vulnerability
Cracking the Walls of the Safari Sandbox
Exploiting the macOS WindowServer for root
Attacking JavaScript Engines
Pwn2Own 2018: Safari + macOS Writeup
https://xss.is/threads/41262/ 2/7
�31/01/2024 01:28 Мануал/Книга - Подборка материалов по фаззингу и эксплуатации уязвимостей в JS-движках | XSS.is (ex DaMaGeLaB)
WebKit Exploitation Tutorial
FuzzIL: Coverage Guided Fuzzing for JavaScript Engines (Thesis)
CVE-2018-4441: OOB R/W via
JSArray::unshiftCountWithArrayStorage (WebKit)
Commented Instanceof exploit
Exploiting Chrome V8: Krautflare (35C3 CTF 2018)
Introduction to SpiderMonkey exploitation
CVE-2017-2446 or JSC::JSGlobalObject::isHavingABadTime
Writeup
Introduction to Turbofan
Circumventing Chrome’s Hardening of Typer Bugs
Journey Into IonMonkey Root Causing CVE-2019-9810
The Apple Bug That Fell Near the WebKit Tree
Inverting Your Assumptions: A Guide to JIT Comparisons
Deconstructing a Winning WebKit Pwn2Own Entry
V8 CVE-2019-5790 Writeup - This blogpost is an analysis of
vulnerability reported by Dimitry Fourny from Blue Frost
Security which was already fixed in repository but no poc has
been released yet.
Microsoft Edge Chakra JIT Type Confusion: CVE-2019-0539 Root
Cause Analysis.
Microsoft Edge Chakra JIT Type Confusion: CVE-2019-0539
Exploitation
CVE-2019-5786: Analysis & Exploitation of the Recently Patched
Chrome Vulnerability - This post provides detailed analysis and
an exploit achieving remote code execution for a fixed Chrome
vulnerability that was observed by Google to be exploited in the
wild.
Patch Gapping Google Chrome - Patch-gapping is the practice
of exploiting vulnerabilities in open-source software that are
already fixed (or are in the process of being fixed) by the
developers before the actual patch is shipped to users.
A Window of Opportunity: Exploiting a Chrome 1 Day
Vulnerability
Microsoft Edge Renderer Exploitation
The Story of Two Winning Pwn2Own JIT Vulnerabilities in Firefox
Regular Exploitation of a Tesla Model 3 Through Chromium
Regexp
Chrome Turbofan Remote Code Execution SSD - August 2017
Attacking Turbofan TyphoonCon (Slides)
Fuzzing WebKit
JavaScriptCore CSI: A Crash Site Investigation Story - Mark Lam
- June 2016 - This article describes some of these tools that
WebKit engineers use by telling the story of how they
diagnosed a real bug in the JSC virtual machine.
JSC: Bypassing StructureID Randomisation
Hack The Real: An exploitation chain to break the Safari browser
The Most Secure Browser? Pwning Chrome from 2016 to 2019
Exploiting v8: *CTF 2019 oob-v8
https://xss.is/threads/41262/ 3/7
�31/01/2024 01:28 Мануал/Книга - Подборка материалов по фаззингу и эксплуатации уязвимостей в JS-движках | XSS.is (ex DaMaGeLaB)
Exploiting the Math.expm1 typing bug in V8
Exploiting TurboFan Through Bounds Check Elimination
Analysis of a use-after-unmap vulnerability in Edge: CVE-2019-
0609
JSC Exploits - Google Project Zero
Google CTF justintime exploit - By EternalSakura13
34c3 v9 writeup - By EternalSakura19 - Write up of “v9” CTF
challenge. A exploit writeup of a v8 style bug.*
Case Study V8cve-2016-5198 - (By EternalSakura19 - Translate
required)
Redundancy Elimination Reducer in V8 and 34C3 CTF V9 - By
Mem2019
Real World CTF 2019 Accessible Write-up - By Mem2019
Roll a D8 - By Mem2019
advent-browserpwn 2018
Pwn2Own 2017: UAF in JSC::CachedCall (WebKit) - By Niklasb
and Saelo
Exploiting an integer overflow with array spreading (WebKit) -
By Niklasb and Saelo
Pwn2Own: Safari sandbox part 1 – Mount yourself a root shell -
By Niklasb
Share with care: Exploiting a Firefox UAF with shared array
buffers - By bkth, eboda
Pwn2Own: Safari sandbox part 2 – Wrap your way around to
root - By niklasb, saelo
Exploiting a Safari information leak - By bkth
Non JIT Bug, JIT Exploit - By bkth, S0rryMyBad
Attribution is hard — at least for Dock: A Safari sandbox escape
& LPE - By niklasb
Ten months old tweetable bug leads to RCE - By bkth
Exploiting a V8 OOB write - HalbeCaf
Don’t Follow The Masses: Bug Hunting in JavaScript Engines -
BlueFrostSecurity
Mobile PWN2OWN Autumn 2013 - Chrome on Android -
Exploit Writeup
Chrome V8 CVE-2019-5782 Tianfu Cup - By S0rrymybad
Chrome Oilpan - Meta Data, Freelists and more - Chris Rohlf
OR’LYEH? The Shadow over Firefox - By argp
Playing around with Spidermonkey
Learning browser exploitation via 33C3 CTF feuerfuchs
challenge
Chakrazy – exploiting type confusion bug in ChakraCore engine
blazefox (Firefox) - Blaze CTF 2018
Exploiting a Cross-mmap Overflow in Firefox - By saelo
WebKid (WebKit) 35C3CTF Writeup - By LinusHenze
Trend Micro CTF 2019 libChakraCore.so
1-Day Browser & Kernel Exploitation - (Slides) Slides
Fuzzing JavaScript Engines - (Slides) - Slides
https://xss.is/threads/41262/ 4/7
�31/01/2024 01:28 Мануал/Книга - Подборка материалов по фаззингу и эксплуатации уязвимостей в JS-движках | XSS.is (ex DaMaGeLaB)
Pwning Microsoft Edge Browser: From Memory Safety
Vulnerability to Remote Code Execution (Slides) - Jin Liu, Chong
Xu
Safari Adventure: A Dive into Apple Browser Internals (Slides) -
Zhiyang Zeng
Chrome Exploitation (Slides) - Gengming Liu, Jianyu Chen
365 Days Later: Finding and Exploiting Safari Bugs using Publicly
Available Tools
Pwn4Fun Safari
The Problems and Promise of WebAssembly
The Great DOM Fuzz off of 2017
Trashing the Flow of Data
Virtually Unlimited Memory: Escaping the Chrome Sandbox
Attacking ECMAScript Engines with Redefinition
Exploiting Logic Bugs in JavaScript JIT Engines
OSX Heap Exploitation Techniques (Safari/Webkit Writeup)
Apple Safari –PWN2OWN Desktop Exploit
Polishing Chrome for Fun and Profit
Escaping the Chrome Sandbox via an IndexedDB Race
Condition
WebKit Exploitation Tutorial
Exploiting WebKit on Vita 3.60
JavaScript engine exploit 191731
JavaScript engine exploit Webkit CVE 2016 4622
JavaScript engine exploitation - Anquanke
Diving Deep into a Pwn2Own Winning Bug
Chrome Vulnerability Debugging Notes CVE-2019-5768
Chakra vulnerability debugging notes 2-OpCode Side Effect
Chakra vulnerability debugging notes 3-MissingValue
Chakra vulnerability debugging notes 4-Array OOB
Chakra vulnerability debugging note 5-CVE-2019-0861
reappears
Chakra OP_NewScObjArray Type Confusion Remote Code
Execution Vulnerability Analysis and Exploitation
Edge Inline Segment Use After Free vulnerability analysis
Chakra JIT Loop LandingPad ImplicitCall Bypass
Attacking the Webkit Heap
35c3ctf 2018 krautflare
Browser Security Beyond Sandboxing
Intro to Chromes V8 from an Exploit Development Angle
A Eulogy for Patch Gapping
Browser Exploitation: CVE-2019-11707 Writeup
Pointer Compression in V8
Firefox Spidermonkey JS Engine Exploitation
Chainspotting - Building Exploit Chains with Logic Bugs
JSC TypedArray.slice infoleak
Exploiting NVMAP to escape Chrome Sandbox
CVE-2020-0041 Chrome Sandbox Escape
The hunt for Chromium issue 1072171
https://xss.is/threads/41262/ 5/7
�31/01/2024 01:28 Мануал/Книга - Подборка материалов по фаззингу и эксплуатации уязвимостей в JS-движках | XSS.is (ex DaMaGeLaB)
FF Sandbox Escape (CVE-2020-12388)
Cleanly Escaping The Chrome Sandbox
Exploiting an Accidentally Discovered V8 RCE
Разное
JSVulnDB
PwnJS
Int64.js
OmahaProxy
ZDI Published
Awesome Browser Exploit
Browserpwn
Источник: https://zon8.re/posts/javascript-engine-fuzzing-and-
exploitation-reading-list/
Модератор
Жалоба
раздела Уязвимости в ПО / Эксплойтинг & Bugtraq
Like Цитата Ответ
_____________________________________________________________________________________________
_______________________
Я естьKurazaki,
только на экспе иидамаге...
sploitem Azrv3l
Перед тем, как стучать в джаббер обязательная верификация через пм
weaver[alt]thesecure[dot]biz & weaver[alt]exploit[dot]im
06.09.2020 #2
Молодцы, но могли бы отсортировать по движкам...
sploitem
HDD-drive
Пользователь
Регистрация: 18.05.2020
Сообщения: 23
Реакции: 26 Жалоба Like Цитата Ответ
Напишите ответ...
https://xss.is/threads/41262/ 6/7
�31/01/2024 01:28 Мануал/Книга - Подборка материалов по фаззингу и эксплуатации уязвимостей в JS-движках | XSS.is (ex DaMaGeLaB)
Прикрепить файлы Ответ
Underground Уязвимости в ПО / Эксплойтинг
Выбор стиля Русский Помощь Главная
https://xss.is/threads/41262/ 7/7
