/browser-pwn

An updated collection of resources targeting browser-exploitation.

Browser-Pwn

The world of Browsers is dominated by 4 major players:

  • Chromium/Chrome (Blink-Engine)
  • Firefox (Gecko-Engine)
  • Safari (WebKit-Engine)
  • Edge (Blink-Engine (former EdgeHTML-Engine)

The following is split into two parts:

  • Information that helps to understand their architecture and implementation and how to build them from sources
  • Information that helps finding their calculator popping feature

Table of Contents

  1. Engines
  2. Exploitation
  3. Tools
  4. JavaScript Docs

Engines

Engine-Overview

Browse the Sources

Of course you can use you're own favorite setup to browse the sources. However, those repos are relatively large and I tried a couple different setups until I found something that worked for me. So if you don't have good setup already, here are a couple of my experiences that might help you:

  • CTags (+Vim): Works well with following references and calls. If you're used to navigate through large source-trees with this puristic setup, it can be a good option for you. The downside being of course the lack of the features most of the big IDEs come with nowadays.
  • CLion: I use JetBrain products for a lot of my coding activities, but CLion didn't work well for me, especially following references. Of course this might be due to setup issues.
  • Eclipse: I haven't used it in a while, but this turned out to be a good option. Unfortunately, it takes a lot of resources for the indexer to run through the code.
    • Here is a setup description for the Chromium-Project, but it works similarly for the other projects as well.
  • ccls+VSCode This is the best option for me so far. ccls is very fast with indexing the repos and works great with VSCode. You can also combine it with other editors and IDEs see https://github.com/MaskRay/ccls/wiki/Editor-Configuration

Chromium (Blink)

Project | GitHub

Articles:

The JavaScript-Engine of Blink is V8.

V8

Project | GitHub | Source | How2Build

Build (Ubuntu 18.04):

$ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
$ export PATH=$PATH:./depot_tools
$ gclient
$ mkdir ./v8 && cd ./v8
$ fetch v8 && cd v8
$ git pull
$ gclient sync
$ ./build/install-build-deps.sh
$ tools/dev/gm.py x64.release
$ out/x64.release/d8

Useful flags:

  • --print-opt-code: code generated by optimizing compiler
  • --print-byte-code: bytecode generated by interpreter
  • --trace-ic: different object types a call site encouters
  • --trace-opt and --trace-deopt: which functions are (de)optimized
  • --trace-turbo: TurboFan traces for the Turbolizer visualization

Articles:

JIT-Compiler: TurboFan

Docs | Blog

V8 provides a visualization for TurboFan called Turbolizer

Articles:

Turbolizer usage:
  1. Run v8 with --trace-turbo: d8 --trace-turbo foo.js
  2. Generates json files e.g. turbo-foo-0.json
  3. Goto v8/tools/turbolizer and install with npm as described in README.md
  4. Serve directory e.g. python -m SimpleHTTPServer 8000
  5. Browse to localhost:8000 and open turbo-foo-0.json

Firefox (Gecko)

Project | GitHub

The JavaScript-Engine of Gecko is Spidermonkey.

Spidermonkey

Project | Source | How2Build

Source

Build (Ubuntu 18.04):

$ wget -O bootstrap.py https://hg.mozilla.org/mozilla-central/raw-file/default/python/mozboot/bin/bootstrap.py && python bootstrap.py
$ git clone https://github.com/mozilla/gecko-dev.git && cd gecko-dev
$ cd js/src
$ autoconf2.13

# This name should end with "_DBG.OBJ" to make the version control system ignore it.
$ mkdir build_DBG.OBJ
$ cd build_DBG.OBJ
$ ../configure --enable-debug --disable-optimize
# Use "mozmake" on Windows
$ make -j 6
$ js/src/js

JIT-Compiler: IonMonkey

Project

Spidermonkey provides a visualization for IonMonkey called IonGraph

Source

Safari (Webkit)

Project | GitHub

The JavaScript-Engine of Webkit is JavaScriptCore (JSC).

JavaScriptCore

Project | Wiki | Source

Articles:

Source

Build (Ubuntu 18.04):

# sudo apt install libicu-dev python ruby bison flex cmake build-essential ninja-build git gperf
$ git clone git://git.webkit.org/WebKit.git && cd WebKit
$ Tools/gtk/install-dependencies
$ Tools/Scripts/build-webkit --jsc-only --debug
$ cd WebKitBuild/Release
$ LD_LIBRARY_PATH=./lib bin/jsc

JIT-Compiler: LLInt+ Baseline JIT + DFG JIT + FTL JIT

WebKit has a 4-Layer JIT-Compiler system, representing the tradeoff between overhead performance cost and performance benefit.

Articles:

Source

Edge (Blink/EdgeHTML)

Project | GitHub

Since Edge switched to Blink and the Chromium Project as its Rendering-Engine, Edge is using v8. Originally, Edge had is own Rendering-Engine called EdgeHTML, which used the ChakraCore JavaScript-Engine.

ChakraCore

GitHub | How2Build

Docs

Source

Build (Ubuntu 18.04):

# To build ChakraCore on Linux: (requires Clang 3.7+ and Python 2)
$ apt-get install -y git build-essential cmake clang libicu-dev libunwind8-dev
$ git clone https://github.com/Microsoft/ChakraCore && cd ChakraCore
$ ./build.sh --cc=/usr/bin/clang-3.9 --cxx=/usr/bin/clang++-3.9 --arch=amd64 --debug
$ out/Debug/ch

Exploitation

Exploitation-Overview

Chromium Pwn

Articles

CTF-Challenges

RealWorld

Hardening & Mitigations

Firefox Pwn

Articles

CTF-Challenges

RealWorld

Safari Pwn

CTF-Challenges

RealWorld

Hardening & Mitigations

Edge

Articles

CTF-Challenges

RealWorld

Tools

Libraries:

Utils

Debugging

  • shadow jemalloc heap exploitation framework (heap allocator used by Firefox)

JavaScript (ECMAScript) Docs