JavaScript Engine Fuzzing and Exploitation Reading List [Updated 2022]

In The Layman’s Guide To Zero-Day Engineering Markus and Amy of Ret2Systems emphasized the importance of building your own library of bookmarks on security and architecture literature on the target you want to exploit. We have always taken this point to heart and have been maintaining our own list of bookmarks for a while now on Trello. Today we are making this list public for everyone’s reference.

Continously Updated! Last Update: 11 November 2022

Want to learn how to break browsers, and in particular JavaScript engines? Traveling and got some reading time? Watch these conference talks or read these articles to get up to speed with browser vulnerability research and exploitation.

Videos

• Attacking Client Side JIT Compilers - Samuel Groß - Black Hat USA 2018 - This talk explains what are JIT compilers, and what types of bugs can occur in them. Saelo uses his Pwn2Own bugs as a case study.

• Attacking Client Side JIT Compilers BlackHat USA 2011 - Many of the components discussed have are outdated but never the less this is worth a watch.

• Black Hat USA 2018 - WebAssembly A New World of Native Exploits on the Browser

• OffensiveCon19 - Samuel Groß - FuzzIL: Guided Fuzzing for JavaScript Engines - Samuel Groß - OffensiveCon19

• Modern Source Fuzzing - Ned Williamson - OffensiveCon19

• FuzzIL: Guided Fuzzing for JavaScript Engines - Samuel Groß - OffensiveCon19

• 35C3 - The Layman’s Guide to Zero-Day Engineering - The Ret2 team discuss the engineering process behind a zero-day that was used to exploit Apple Safari at PWN2OWN 2018.

• Fuzzing Javascript Engines for Fun and Pwnage - Areum Lee & Jeonghoon Shin

• Exploring the Safari Just In Time Exploitation - Jasiel Spelman - TenSec 2018 - Jasiel Spelman (ZDI) presents the latest research in JIT exploitation.

• Attacking Chrome IPC

• OffensiveCon19 - Niklas Baumstark - IPC You Outside the Sandbox: One bug to Rule the Chrome Broker

• 35C3 - From Zero to Zero Day

• Browser Exploitation - Max Zinkus - Whitehat

• 2017 LLVM Developers’ Meeting: K. Serebryany “Structure-aware fuzzing for Clang and LLVM with …” - Not specifically about browser exploitation, this talk discusses the concept of structure aware fuzzing, which can be useful when fuzzing JS engines.

• The ECMA And The Chakra - Natalie Silvanovich

• Attacking ECMAScript Engines With Redefinition

• $Hell on Earth: From Browser to System Compromise

• A tale of Chakra bugs through the years - By bkth

• The Secret Of Chakracore: 10 Ways To Go Beyond The Edge - Linan Hao and Long Liu - HITB 2017

• Browser Fuzzing with a Twist (and a Shake) - Jeremy Brown — Zeronights 2015

• The Power of Pair: One Template that Reveals 100+ UAF IE Vulnerabilities

• The State Of Web Browsers Vs DOM Fuzzing In 2017 - Ivan Fratric - FSec2017

• Forget the Sandbox Escape: Abusing Browsers from Code Execution - Amy Burnett Bluehat IL 2020

• Adventures on Hunting for Safari Sandbox Escapes - Ki Chan Ahn - OffensiveCon 2020

• Actions Speak Browser Than Words (Exploiting n-days for fun and profit) - Max Van Amerongen (maxspl0it) - Red Team Village Grayhat Con

• Fuzzing 101 - Chromium University

• HackTheBox - Rope2 V8 Browser Exploit

• Assaf Sion: JavaScript Bugs in JavaScript Core with CodeQL

• What is a Browser Security Sandbox?! (Learn to Hack Firefox)

• Attacking JavaScript Engines in 2022 - Samuel Gross and Amanda Burnett - OffensiveCon22

• NoJITsu: Locking Down JavaScript Engines - Taemin Park - BlackHat 2020

• Attacking Edge Through the JavaScript Just-In-Time compiler - Bruno Keith - OffensiveCon19

• Introduction to V8 JavaScript Engine Grammar-based Fuzzing

Articles

• A Methodical Approach to Browser Exploitation

• Vulnerability Discovery Against Apple Safari

• Timeless Debugging of Complex Software

• Weaponization of a JavaScriptCore Vulnerability

• Cracking the Walls of the Safari Sandbox

• Exploiting the macOS WindowServer for root

• Attacking JavaScript Engines

• Pwn2Own 2018: Safari + macOS Writeup

• WebKit Exploitation Tutorial

• FuzzIL: Coverage Guided Fuzzing for JavaScript Engines (Thesis)

• CVE-2018-4441: OOB R/W via JSArray::unshiftCountWithArrayStorage (WebKit)

• Commented Instanceof exploit

• Exploiting Chrome V8: Krautflare (35C3 CTF 2018)

• Introduction to SpiderMonkey exploitation

• CVE-2017-2446 or JSC::JSGlobalObject::isHavingABadTime Writeup

• Introduction to Turbofan

• Circumventing Chrome’s Hardening of Typer Bugs

• Journey Into IonMonkey Root Causing CVE-2019-9810

• The Apple Bug That Fell Near the WebKit Tree

• Inverting Your Assumptions: A Guide to JIT Comparisons

• Deconstructing a Winning WebKit Pwn2Own Entry

• V8 CVE-2019-5790 Writeup - This blogpost is an analysis of vulnerability reported by Dimitry Fourny from Blue Frost Security which was already fixed in repository but no poc has been released yet.

• Microsoft Edge Chakra JIT Type Confusion: CVE-2019-0539 Root Cause Analysis.

• Microsoft Edge Chakra JIT Type Confusion: CVE-2019-0539 Exploitation

• CVE-2019-5786: Analysis & Exploitation of the Recently Patched Chrome Vulnerability - This post provides detailed analysis and an exploit achieving remote code execution for a fixed Chrome vulnerability that was observed by Google to be exploited in the wild.

• Patch Gapping Google Chrome - Patch-gapping is the practice of exploiting vulnerabilities in open-source software that are already fixed (or are in the process of being fixed) by the developers before the actual patch is shipped to users.

• A Window of Opportunity: Exploiting a Chrome 1 Day Vulnerability

• Microsoft Edge Renderer Exploitation

• The Story of Two Winning Pwn2Own JIT Vulnerabilities in Firefox

• Regular Exploitation of a Tesla Model 3 Through Chromium Regexp

• Chrome Turbofan Remote Code Execution SSD - August 2017

• Attacking Turbofan TyphoonCon (Slides)

• Fuzzing WebKit

• JavaScriptCore CSI: A Crash Site Investigation Story - Mark Lam - June 2016 - This article describes some of these tools that WebKit engineers use by telling the story of how they diagnosed a real bug in the JSC virtual machine.

• JSC: Bypassing StructureID Randomisation

• Hack The Real: An exploitation chain to break the Safari browser

• The Most Secure Browser? Pwning Chrome from 2016 to 2019

• Exploiting v8: CTF 2019 oob-v8

• Exploiting the Math.expm1 typing bug in V8

• Exploiting TurboFan Through Bounds Check Elimination

• Analysis of a use-after-unmap vulnerability in Edge: CVE-2019-0609

• JSC Exploits - Google Project Zero

• Google CTF justintime exploit - By EternalSakura13

• 34c3 v9 writeup - By EternalSakura19 - Write up of “v9” CTF challenge. A exploit writeup of a v8 style bug.

• Case Study V8cve-2016-5198 - (By EternalSakura19 - Translate required)

• Redundancy Elimination Reducer in V8 and 34C3 CTF V9 - By Mem2019

• Real World CTF 2019 Accessible Write-up - By Mem2019

• Roll a D8 - By Mem2019

• advent-browserpwn 2018

• Pwn2Own 2017: UAF in JSC::CachedCall (WebKit) - By Niklasb and Saelo

• Exploiting an integer overflow with array spreading (WebKit) - By Niklasb and Saelo

• Pwn2Own: Safari sandbox part 1 – Mount yourself a root shell - By Niklasb

• Share with care: Exploiting a Firefox UAF with shared array buffers - By bkth, eboda

• Pwn2Own: Safari sandbox part 2 – Wrap your way around to root - By niklasb, saelo

• Exploiting a Safari information leak - By bkth

• Non JIT Bug, JIT Exploit - By bkth, S0rryMyBad

• Attribution is hard — at least for Dock: A Safari sandbox escape & LPE - By niklasb

• Ten months old tweetable bug leads to RCE - By bkth

• Exploiting a V8 OOB write - HalbeCaf

• Don’t Follow The Masses: Bug Hunting in JavaScript Engines - BlueFrostSecurity

• Mobile PWN2OWN Autumn 2013 - Chrome on Android - Exploit Writeup

• Chrome V8 CVE-2019-5782 Tianfu Cup - By S0rrymybad

• Chrome Oilpan - Meta Data, Freelists and more - Chris Rohlf

• OR’LYEH? The Shadow over Firefox - By argp

• Playing around with Spidermonkey

• Learning browser exploitation via 33C3 CTF feuerfuchs challenge

• Chakrazy – exploiting type confusion bug in ChakraCore engine

• blazefox (Firefox) - Blaze CTF 2018

• Exploiting a Cross-mmap Overflow in Firefox - By saelo

• WebKid (WebKit) 35C3CTF Writeup - By LinusHenze

• Trend Micro CTF 2019 libChakraCore.so

• 1-Day Browser & Kernel Exploitation - (Slides) Slides

• Fuzzing JavaScript Engines - (Slides) - Slides

• Pwning Microsoft Edge Browser: From Memory Safety Vulnerability to Remote Code Execution (Slides) - Jin Liu, Chong Xu

• Safari Adventure: A Dive into Apple Browser Internals (Slides) - Zhiyang Zeng

• Chrome Exploitation (Slides) - Gengming Liu, Jianyu Chen

• 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools

• Pwn4Fun Safari

• The Problems and Promise of WebAssembly

• The Great DOM Fuzz off of 2017

• Trashing the Flow of Data

• Virtually Unlimited Memory: Escaping the Chrome Sandbox

• Attacking ECMAScript Engines with Redefinition

• Exploiting Logic Bugs in JavaScript JIT Engines

• OSX Heap Exploitation Techniques (Safari/Webkit Writeup)

• Apple Safari –PWN2OWN Desktop Exploit

• Polishing Chrome for Fun and Profit

• Escaping the Chrome Sandbox via an IndexedDB Race Condition

• WebKit Exploitation Tutorial

• Exploiting WebKit on Vita 3.60

• JavaScript engine exploit 191731

• JavaScript engine exploit Webkit CVE 2016 4622

• JavaScript engine exploitation - Anquanke

• Diving Deep into a Pwn2Own Winning Bug

• Chrome Vulnerability Debugging Notes CVE-2019-5768

• Chakra vulnerability debugging notes 2-OpCode Side Effect

• Chakra vulnerability debugging notes 3-MissingValue

• Chakra vulnerability debugging notes 4-Array OOB

• Chakra vulnerability debugging note 5-CVE-2019-0861 reappears

• Chakra OP_NewScObjArray Type Confusion Remote Code Execution Vulnerability Analysis and Exploitation

• Edge Inline Segment Use After Free vulnerability analysis

• Chakra JIT Loop LandingPad ImplicitCall Bypass

• Attacking the Webkit Heap

• 35c3ctf 2018 krautflare

• Browser Security Beyond Sandboxing

• Intro to Chromes V8 from an Exploit Development Angle

• A Eulogy for Patch Gapping

• Browser Exploitation: CVE-2019-11707 Writeup

• Pointer Compression in V8

• Firefox Spidermonkey JS Engine Exploitation

• Chainspotting - Building Exploit Chains with Logic Bugs

• JSC TypedArray.slice infoleak

• Exploiting NVMAP to escape Chrome Sandbox

• CVE-2020-0041 Chrome Sandbox Escape

• The hunt for Chromium issue 1072171

• FF Sandbox Escape (CVE-2020-12388)

• Cleanly Escaping The Chrome Sandbox

• Exploiting an Accidentally Discovered V8 RCE

• Jitsploitation I: A JIT Bug

• Jitsploitation II: Getting Read/Write

• Jitsploitation III: Subverting Control Flow

• Exploiting CVE-2019-17026 A Firefox JIT Bug

• Fuzzing JavaScript Engines With Fuzzilli

• CVE-2020-1380: Analysis of a Recently Fixed IE Zero-Day

• DOS2RCE: A New Technique to Exploit V8 NULL Pointer Dereference Bug

• Firefox Vulnerability Research

• Firefox Vulnerability Research 2

• Bug Hunting Diary (Chrome/V8)

• Modern attacks on the Chrome Browser: Optimizations and Deoptimizations

• Pwn2Own 2021 JSC Exploit

• The Mysterious Realm Of JavaScriptCore

• Patch Gapping a Safari Type Confusion

• Examining JavaScript Inter-Process Communication in Firefox

• ELECTRIC CHROME - CVE-2020-6418 on Tesla Model 3

• Chrome Exploitation Zer0con 2021

• One day short of a full chain: Part 3 - Chrome renderer RCE

• One day short of a full chain: Part 2 - Chrome sandbox escape

• Turboflan PicoCTF 2021 Writeup

• Rope2 HackTheBox Writeup

• SpamAndFlags 2020 Writeups

• FireShell ctf 2020 The Return of the Side Effect writeup

• Browser-pwn cve-2020-6418

• CVE-2019-11707: IonMonkey Type Confusion in Array.Pop

• CVE-2019-1367: Internet Explorer JScript use-after-free

• CVE-2019-13720: Chrome use-after-free in webaudio

• CVE-2019-17026: Firefox Type Confusion in IonMonkey

• CVE-2020-0674: Internet Explorer use-after-free in JScript

• CVE-2020-16009: Chrome Turbofan Type Confusion after Map Deprecation

• CVE-2020-6418: Chrome incorrect side-effect modelling issue in Turbofan leading to type confusions

• CVE-2021-30551: Chrome Type Confusion in V8

• Chrome Browser Exploitation 1 - Jhalon

• V8 Heap pwn and /dev/memes - WebOS Root LPE

• Two Birds with One Stone: Introduction to V8 and JIT Exploitation

• Exploitation of CVE-2021-21220 - From Incorrect JIT Behaviour to RCE

• Understanding the root cause of CVE-2021-21220 a Chrome Bug From Pwn2Own 2021

• Attacking the Mozilla Firefox Renderer Part 1

• Attacking the Mozilla Firefox Renderer Part 2

• A Bug’s Life: CVE-2021-21225

• Exploiting CVE-2021-21225 and disabling W^X

Misc

• JSVulnDB
• PwnJS
• Int64.js
• OmahaProxy
• ZDI Published
• Awesome Browser Exploit
• Browserpwn
• JSC Architecture Reading List
• V8 Architecture Reading List
• V8 Vulnerability PoCs