Practical Web Browser Fuzzing

4-Day Security Training on Advanced Browser Exploitation

Web Browsers are one of the most used and critical software in the world. Using millions of lines of code, they are in charge of handling, sanitizing, and interpreting all kinds of (untrusted) data coming from the web. To be honest, It’s just impossible for developers to write such complex pieces of software (involving compilers, interpreters, and parsing libraries) without introducing any bugs.

As shown in the last years, fuzz testing is by far the most efficient and scalable testing technique to find software bugs. In this training, we will apply fuzzing to find critical vulnerabilities in different web browser implementations.

First, this course will give you all the prerequisites to understand the architecture and major components of modern web browsers. Then, you will create and set up a testing environment allowing you to easily replay, debug, minimize and analyze existing issues, CVEs, and PoCs. Over dedicated modules, you will discover and fuzz the main browser components such as DOM, JS engines, JIT compilers, WebAssembly, IPC. You will learn how to use famous tools (Domato, Dharma, Fuzzilli, Frida) and create your custom fuzzers to apply different fuzzing techniques (coverage-guided, grammar-based, in-process fuzzing) to find vulnerabilities/bugs.

A lot of hands-on exercises will allow you to internalize concepts and techniques taught in class. This course will mainly focus on Google Chrome, Firefox, and WebKit/JSC.

COURSE OBJECTIVES

  • Discover the architecture and components of modern web browsers.
  • Learn how to create a testing environment for browser fuzzing.
  • Analyze existing CVEs, issues, and PoCs to learn from other researchers.
  • Discover how to use and customize the most famous browser fuzzing tools.
  • Learn how to replay, minimize and analyze crashes.
  • Learn how to apply different fuzzing techniques against browser components.
  • Familiarity with scripting (Python, Bash) and Linux.
  • Familiarity with C/C++ and JavaScript.
  • A working laptop capable of running virtual machines
  • 8GB RAM required, at a minimum
  • 80 GB free Hard disk space
  • VirtualBox
  • Administrator/root access MANDATORY
  • Security engineers
  • Vulnerability researchers
  • Bug bounty hunters
  • Anyone who want to learn more about browser internals and fuzzing

COURSE SYLLABUS

Module 1: Browser Internals and Fuzzing Basics

  • Introduction to Fuzzing
  • Modern Browser Architecture & major Components
  • Setting up a Testing and Debugging environment
  • Compile and Explore famous browser codebases
  • Fuzzing Web Browsers Fundamentals
  • Improving your Fuzzing Workflow & Automation

Module 2: Fuzzing DOM & Rendering engines

  • Introduction to the Rendering engine
  • HTML/CSS/XML Parsing
  • Analysis of existing CVEs, Issues, and PoCs
  • Blink, Gecko & WebKit Fuzzing
  • DOM rendering & Implementation
  • Fuzzing DOM using Grammar-based Fuzzing

Module 3: Fuzzing JavaScript Engines & JIT Compilers

  • JavaScript Engine Internals & APIs
  • Memory management and Garbage collection
  • Analysis of existing CVEs, Issues, and PoCs
  • V8, Spidermonkey & JavaScriptCore Fuzzing
  • JIT compilers Internals
  • TurboFan and IonMonkey Fuzzing

Module 4: Fuzzing WebAssembly Compilers & APIs

  • Introduction to WebAssembly
  • VM Architecture & Implementation
  • Analysis of existing CVEs, Issues, and PoCs
  • Fuzzing WebAssembly JavaScript APIs
  • WebAssembly compilers internals
  • WebAssembly In-process Fuzzing

Module 5: Fuzzing IPC and other Components

  • Inter-Process Communication (IPC) Internals
  • Analysis of existing CVEs, Issues, and PoCs
  • Fuzzing Chrome Mojo/Legacy IPC
  • Discovery of other Components Implementation
  • Networking/Data Persistence APIs
  • Fuzzing Media and other Plugins

What Students are Saying...

"Very interesting compilation on the fuzzing tricks and techniques on existing and upcoming browser features. I love the fact that many online resources are also compiled into the training slides. I've learnt a lot from the trainer for the past 4 days. Will definitely recommend this training to anyone that has an interest in fuzzing browsers but do not know where to start."
Anonymous
Vulnerability researcher
"I am new to fuzzing and feel like I learned enough to do bug bounties :O"
Anonymous
Vulnerability researcher
"I recommend this training to anyone that is interested in having a well guided kick start to fuzzing. Patrick offers very well thought out fundamentals and methodology to fuzzing and it was definitely very useful.I enjoyed the thought process and methodology on how I could fuzz different parts of the browser. While there are materials to fuzzing online, the thought process of which fuzzing technique to use is often not highlighted very clearly, and Patrick was able to share that thought process in his training. "
Anonymous
Vulnerability researcher
"Good sharing of fuzzing tools and setup. Great materials for browser internals and recommendations for internal studies. Will recommend if you want to pick up browser fuzzing and understanding of general concepts for browser internals."
Anonymous
Vulnerability researcher
"Material was comprehensive and up-to-date, instructor was patient and knowledgeable. Learnt a lot during this training, definitely worth it!"
Anonymous
Vulnerability researcher

Any questions about our services and trainings ?

Get in touch today with any questions that you might have.