GitHub - m1ghtym0/browser-pwn: An updated collection of resources targeting brow...
source link: https://github.com/m1ghtym0/browser-pwn
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
Browser-Pwn
The world of Browsers is dominated by 4 major players:
- Chromium/Chrome (Blink-Engine)
- Firefox (Gecko-Engine)
- Safari (WebKit-Engine)
- Edge (Blink-Engine (former EdgeHTML-Engine)
The following is split into two parts:
- Information that helps to understand their architecture and implementation and how to build them from sources
- Information that helps finding their calculator popping feature
Table of Contents
- Engines
- Exploitation
- Tools
- JavaScript Docs
Engines
Engine-Overview
Browse the Sources
Of course you can use you're own favorite setup to browse the sources. However, those repos are relatively large and I tried a couple different setups until I found something that worked for me. So if you don't have good setup already, here are a couple of my experiences that might help you:
- CTags (+Vim): Works well with following references and calls. If you're used to navigate through large source-trees with this puristic setup, it can be a good option for you. The downside being of course the lack of the features most of the big IDEs come with nowadays.
- CLion: I use JetBrain products for a lot of my coding activities, but CLion didn't work well for me, especially following references. Of course this might be due to setup issues.
- Eclipse: I haven't used it in a while, but this turned out to be a good option. Unfortunately, it takes a lot of resources for the indexer to run through the code.
- Here is a setup description for the Chromium-Project, but it works similiarily for the other projects as well.
- ccls+VSCode This is the best option for me so far. ccls is very fast with indexing the repos and works great with VSCode. You can also combine it with other editors and IDEs see https://github.com/MaskRay/ccls/wiki/Editor-Configuration
Chromium (Blink)
Articles:
The JavaScript-Engine of Blink is V8.
V8
Project | GitHub | Source | How2Build
Build (Ubuntu 18.04):
$ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
$ export PATH=$PATH:./depot_tools
$ gclient
$ mkdir ./v8 && cd ./v8
$ fetch v8 && cd v8
$ git pull
$ gclient sync
$ ./build/install-build-deps.sh
$ tools/dev/gm.py x64.release
$ out/x64.release/d8
Useful flags:
--print-opt-code
: code generated by optimizing compiler--print-byte-code
: bytecode generated by interpreter--trace-ic
: different object types a call site encouters--trace-opt
and--trace-deopt
: which functions are (de)optimized--trace-turbo
: TurboFan traces for the Turbolizer visualization
Articles:
JIT-Compiler: TurboFan
V8 provides a visualization for TurboFan called Turbolizer
Turbolizer usage:
- Run v8 with
--trace-turbo
:d8 --trace-turbo foo.js
- Generates json files e.g.
turbo-foo-0.json
- Goto
v8/tools/turbolizer
and install with npm as described inREADME.md
- Serve directory e.g.
python -m SimpleHTTPServer 8000
- Browse to
localhost:8000
and openturbo-foo-0.json
Firefox (Gecko)
The JavaScript-Engine of Gecko is Spidermonkey.
Spidermonkey
Source
Build (Ubuntu 18.04):
$ wget -O bootstrap.py https://hg.mozilla.org/mozilla-central/raw-file/default/python/mozboot/bin/bootstrap.py && python bootstrap.py
$ git clone https://github.com/mozilla/gecko-dev.git && cd gecko-dev
$ cd js/src
$ autoconf2.13
# This name should end with "_DBG.OBJ" to make the version control system ignore it.
$ mkdir build_DBG.OBJ
$ cd build_DBG.OBJ
$ ../configure --enable-debug --disable-optimize
# Use "mozmake" on Windows
$ make -j 6
$ js/src/js
JIT-Compiler: IonMonkey
Spidermonkey provides a visualization for IonMonkey called IonGraph
Source
Safari (Webkit)
The JavaScript-Engine of Webkit is JavaScriptCore (JSC).
JavaScriptCore
Source
- Runtime: Source/JavaScriptCore/runtime
Build (Ubuntu 18.04):
# sudo apt install libicu-dev python ruby bison flex cmake build-essential ninja-build git gperf
$ git clone git://git.webkit.org/WebKit.git && cd WebKit
$ Tools/gtk/install-dependencies
$ Tools/Scripts/build-webkit --jsc-only --debug
$ cd WebKitBuild/Release
$ LD_LIBRARY_PATH=./lib bin/jsc
JIT-Compiler: LLInt+ Baseline JIT + DFG JIT + FTL JIT
WebKit has a 4-Layer JIT-Compiler system, representing the tradeoff between overhead performance cost and performance benefit.
Articles:
Source
- LLInt (Low Level Interpreter)
- Baseline JIT
- DFG JIT (Data Flow Graph JIT)
- FTL JIT (Faster Than Light Just In Time compiler)
Edge (Blink/EdgeHTML)
Since Edge switched to Blink and the Chromium Project as its Rendering-Engine, Edge is using v8. Originally, Edge had is own Rendering-Engine called EdgeHTML, which used the ChakraCore JavaScript-Engine.
ChakraCore
Docs
Source
Build (Ubuntu 18.04):
# To build ChakraCore on Linux: (requires Clang 3.7+ and Python 2)
$ apt-get install -y git build-essential cmake clang libicu-dev libunwind8-dev
$ git clone https://github.com/Microsoft/ChakraCore && cd ChakraCore
$ ./build.sh --cc=/usr/bin/clang-3.9 --cxx=/usr/bin/clang++-3.9 --arch=amd64 --debug
$ out/Debug/ch
Exploitation
Exploitation-Overview
- Saelo: Attacking JavaScript-Engines
- Awesome-Browser-Exploitation
- Attacking WebKit applications (Slides)
- Saelo Attacking Client-Side JIT Compilers - BlackHat 2018
- j0nathanj: From Zero to ZeroDay (Finding a Chakra Zero Day)
Chromium Pwn
CTF-Challenges
RealWorld
Hardening & Mitigations
Firefox Pwn
CTF-Challenges
- 33c3: Feuerfuchs
- Blaze 2018: blazefox
- 35c3 FunFox
RealWorld
Safari Pwn
CTF-Challenges
RealWorld
- http://www.phrack.org/papers/attacking_javascript_engines.html
- [Source])(https://github.com/saelo/jscpwn)
- WriteUp
- https://saelo.github.io/posts/jsc-typedarray.slice-infoleak.html
Hardening & Mitigations
- Heap-hardening
- CagedPtr Source & ArrayBuffer Example
Edge Pwn
CTF-Challenges
- Plaid 2017: chakrazy
RealWorld
Tools
Libraries:
Utils
JavaScript (ECMAScript) Docs
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK