Resources
Challenges
- https://github.com/StarCrossPortal/bug-hunting-101
Beginning Resources
- https://thepwnish3r.github.io/2021/11/22/Browser-Exploitation-for-n00bs.html
- https://faraz.faith/2019-12-13-starctf-oob-v8-indepth/
- https://seal9055.com/blog/browser/browser_architecture
- https://seal9055.com/blog/browser/ignition
- https://seal9055.com/blog/browser/memory_management
- https://seal9055.com/blog/browser/turbofan
- https://seal9055.com/blog/browser/exploitation
- Hack The Box Walkthrough: https://www.youtube.com/watch?v=m6Fpc3zxrJg&t=3284s
- JavaScript Engines - How do they even: https://www.youtube.com/watch?v=p-iiEDtpy6I
- https://www.youtube.com/watch?v=ltYfd4GXags
Other Resources
- https://www.youtube.com/watch?v=p-iiEDtpy6I
- https://www.youtube.com/watch?v=ltYfd4GXags
- https://www.youtube.com/watch?app=desktop&v=i9O_vYQbZEo
- https://v8.dev/blog/fast-properties
- https://pwnbykenny.com/2020/07/05/v8-objects-and-their-structures/
- https://medium.com/@bpmxmqd/v8-engine-jsobject-structure-analysis-and-memory-optimization-ideas-be30cfcdcd16
- https://v8.dev/blog/elements-kinds
- https://deepu.tech/memory-management-in-v8/
- https://www.jayconrod.com/posts/52/a-tour-of-v8–object-representation
- https://developpaper.com/how-does-v8-run-object-representation-in-v8/
- https://sensepost.com/blog/2020/intro-to-chromes-v8-from-an-exploit-development-angle/
- https://v8.dev/blog/trash-talk
- https://benediktmeurer.de/
- https://v8.dev/blog/fast-properties
LiveOverflow Introduction
Used to be known as drive-by downloads in the past
https://www.youtube.com/watch?v=StQ_6juJlZY
https://liveoverflow.com/getting-into-browser-exploitation-new-series-introduction-browser-0x00/
Project Zero
https://googleprojectzero.blogspot.com/
======================================================================
What is my Browser
- https://www.whatismybrowser.com/
======================================================================
Fuck this one sucks, Here we go.
Browser Architecture
All mainline browsers use different javascript engines and this were typically most bugs are found
- Safari uses the WebKit Engine
- Firefox uses SpiderMonkey Engine
- IE/EDGE uses Charka Engine
- Chromium uses V8 Engine
JIT - Just In Time Compiler
Pointer Tagging
Maps
// All heap objects have a Map that describes their structure.
// A Map contains information about:
// - Size information about the object
// - How to iterate over an object (for garbage collection)
//
// Map layout:
// +---------------+---------------------------------------------+
// | _ Type _ | _ Description _ |
// +---------------+---------------------------------------------+
// | TaggedPointer | map - Always a pointer to the MetaMap root |
// +---------------+---------------------------------------------+
// | Int | The first int field |
// `---+----------+---------------------------------------------+
// | Byte | [instance_size] |
// +----------+---------------------------------------------+
// | Byte | If Map for a primitive type: |
// | | native context index for constructor fn |
// | | If Map for an Object type: |
// | | inobject properties start offset in words |
// +----------+---------------------------------------------+
// | Byte | [used_or_unused_instance_size_in_words] |
// | | For JSObject in fast mode this byte encodes |
// | | the size of the object that includes only |
// | | the used property fields or the slack size |
// | | in properties backing store. |
// +----------+---------------------------------------------+
// | Byte | [visitor_id] |
// +----+----------+---------------------------------------------+
// | Int | The second int field |
// `---+----------+---------------------------------------------+
// | Short | [instance_type] |
// +----------+---------------------------------------------+
// | Byte | [bit_field] |
// | | - has_non_instance_prototype (bit 0) |
// | | - is_callable (bit 1) |
// | | - has_named_interceptor (bit 2) |
// | | - has_indexed_interceptor (bit 3) |
// | | - is_undetectable (bit 4) |
// | | - is_access_check_needed (bit 5) |
// | | - is_constructor (bit 6) |
// | | - has_prototype_slot (bit 7) |
// +----------+---------------------------------------------+
// | Byte | [bit_field2] |
// | | - is_extensible (bit 0) |
// | | - is_prototype_map (bit 1) |
// | | - is_in_retained_map_list (bit 2) |
// | | - elements_kind (bits 3..7) |
// +----+----------+---------------------------------------------+
// | Int | [bit_field3] |
// | | - enum_length (bit 0..9) |
// | | - number_of_own_descriptors (bit 10..19) |
// | | - is_dictionary_map (bit 20) |
// | | - owns_descriptors (bit 21) |
// | | - has_hidden_prototype (bit 22) |
// | | - is_deprecated (bit 23) |
// | | - is_unstable (bit 24) |
// | | - is_migration_target (bit 25) |
// | | - is_immutable_proto (bit 26) |
// | | - new_target_is_base (bit 27) |
// | | - may_have_interesting_symbols (bit 28) |
// | | - construction_counter (bit 29..31) |
// | | |
// +*************************************************************+
// | Int | On systems with 64bit pointer types, there |
// | | is an unused 32bits after bit_field3 |
// +*************************************************************+
// | TaggedPointer | [prototype] |
// +---------------+---------------------------------------------+
// | TaggedPointer | [constructor_or_backpointer] |
// +---------------+---------------------------------------------+
// | TaggedPointer | If Map is a prototype map: |
// | | [prototype_info] |
// | | Else: |
// | | [raw_transitions] |
// +---------------+---------------------------------------------+
// | TaggedPointer | [instance_descriptors] |
// +*************************************************************+
// ! TaggedPointer ! [layout_descriptors] !
// ! ! Field is only present if compile-time flag !
// ! ! FLAG_unbox_double_fields is enabled !
// ! ! (basically on 64 bit architectures) !
// +*************************************************************+
// | TaggedPointer | [dependent_code] |
// +---------------+---------------------------------------------+
Map Notes:
The Map of an object (arrays are objects) is a data structure that contains information such as:
The dynamic type of the object, i.e. String, Uint8Array, HeapNumber The size of the object in bytes The properties of the object and where they are stored The type of the array elements, e.g. unboxed doubles or tagged pointers The prototype of the object if any While the property names are usually stored in the Map, the property values are stored within the object itself in one of several possible regions. The Map then provides the exact location of the property value in the respective region.
Map in view => String, Uint8Array, Heap, JSArray Map in View = Size of object in bytes, eg 0x0000040000 = 4. Propties of the object and stored.
Maps defined how a object shoud be accessed eg var a = [1.1, 1.2] a[0] = 1.1 a[1] = 1.2 Maps are used in the first place is because looking up values is very expensive. Maps act as a sort of dictionary. Multiple objects / arrays can share the same map if they have the same layout, theory to overwrite one object map with a other causing a type confusion.