Home

Awesome

Browser-Pwn

The world of Browsers is dominated by 4 major players:

The following is split into two parts:

Table of Contents

  1. Engines
  2. Exploitation
  3. Tools
  4. JavaScript Docs

Engines

Engine-Overview

Browse the Sources

Of course you can use you're own favorite setup to browse the sources. However, those repos are relatively large and I tried a couple different setups until I found something that worked for me. So if you don't have good setup already, here are a couple of my experiences that might help you:

Chromium (Blink)

Project | GitHub

Articles:

The JavaScript-Engine of Blink is V8.

V8

Project | GitHub | Source | How2Build

Build (Ubuntu 18.04):

$ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
$ export PATH=$PATH:./depot_tools
$ gclient
$ mkdir ./v8 && cd ./v8
$ fetch v8 && cd v8
$ git pull
$ gclient sync
$ ./build/install-build-deps.sh
$ tools/dev/gm.py x64.release
$ out/x64.release/d8

Useful flags:

Articles:

JIT-Compiler: TurboFan

Docs | Blog

V8 provides a visualization for TurboFan called Turbolizer

Articles:

Turbolizer usage:
  1. Run v8 with --trace-turbo: d8 --trace-turbo foo.js
  2. Generates json files e.g. turbo-foo-0.json
  3. Goto v8/tools/turbolizer and install with npm as described in README.md
  4. Serve directory e.g. python -m SimpleHTTPServer 8000
  5. Browse to localhost:8000 and open turbo-foo-0.json

Firefox (Gecko)

Project | GitHub

The JavaScript-Engine of Gecko is Spidermonkey.

Spidermonkey

Project | Source | How2Build

Source

Build (Ubuntu 18.04):

$ wget -O bootstrap.py https://hg.mozilla.org/mozilla-central/raw-file/default/python/mozboot/bin/bootstrap.py && python bootstrap.py
$ git clone https://github.com/mozilla/gecko-dev.git && cd gecko-dev
$ cd js/src
$ autoconf2.13

# This name should end with "_DBG.OBJ" to make the version control system ignore it.
$ mkdir build_DBG.OBJ
$ cd build_DBG.OBJ
$ ../configure --enable-debug --disable-optimize
# Use "mozmake" on Windows
$ make -j 6
$ js/src/js

JIT-Compiler: IonMonkey

Project

Spidermonkey provides a visualization for IonMonkey called IonGraph

Source

Safari (Webkit)

Project | GitHub

The JavaScript-Engine of Webkit is JavaScriptCore (JSC).

JavaScriptCore

Project | Wiki | Source

Articles:

Source

Build (Ubuntu 18.04):

# sudo apt install libicu-dev python ruby bison flex cmake build-essential ninja-build git gperf
$ git clone git://git.webkit.org/WebKit.git && cd WebKit
$ Tools/gtk/install-dependencies
$ Tools/Scripts/build-webkit --jsc-only --debug
$ cd WebKitBuild/Release
$ LD_LIBRARY_PATH=./lib bin/jsc

JIT-Compiler: LLInt+ Baseline JIT + DFG JIT + FTL JIT

WebKit has a 4-Layer JIT-Compiler system, representing the tradeoff between overhead performance cost and performance benefit.

Articles:

Source

Edge (Blink/EdgeHTML)

Project | GitHub

Since Edge switched to Blink and the Chromium Project as its Rendering-Engine, Edge is using v8. Originally, Edge had is own Rendering-Engine called EdgeHTML, which used the ChakraCore JavaScript-Engine.

ChakraCore

GitHub | How2Build

Docs

Source

Build (Ubuntu 18.04):

# To build ChakraCore on Linux: (requires Clang 3.7+ and Python 2)
$ apt-get install -y git build-essential cmake clang libicu-dev libunwind8-dev
$ git clone https://github.com/Microsoft/ChakraCore && cd ChakraCore
$ ./build.sh --cc=/usr/bin/clang-3.9 --cxx=/usr/bin/clang++-3.9 --arch=amd64 --debug
$ out/Debug/ch

Exploitation

Exploitation-Overview

Chromium Pwn

Articles

CTF-Challenges

RealWorld

Hardening & Mitigations

Firefox Pwn

Articles

CTF-Challenges

RealWorld

Safari Pwn

CTF-Challenges

RealWorld

Hardening & Mitigations

Edge

Articles

CTF-Challenges

RealWorld

Tools

Libraries:

Utils

Debugging

JavaScript (ECMAScript) Docs