Recon 2023 - Training Announcement
Practical Web Browser Fuzzing Training
Kickstart your journey into the intricate world of web browser fuzzing at Recon 2023! This exclusive training, led by experts Patrick Ventuzelo, is your opportunity to master advanced fuzzing techniques and uncover vulnerabilities in some of the most widely used software globally.
Overview
Web browsers are among the most complex software systems, managing untrusted web data with millions of lines of code. Inevitably, bugs slip through the cracks, making security essential. This hands-on training will equip participants with the skills to apply fuzzing techniques for identifying critical vulnerabilities in leading web browser implementations like Chrome, Firefox, and WebKit.
The training begins with an introduction to modern web browser architecture, followed by practical sessions using tools like Honggfuzz, Domato, Fuzzilli, and AFL++. Participants will gain expertise in fuzzing browser components such as DOM, JavaScript engines, JIT compilers, WebAssembly, and IPC. Real-world use cases ensure a practical, impactful learning experience.
June 5 to 8 2023
Recon (Montreal, Canada)
4 days
Intermediate
Patrick Ventuzelo
$4800
25 participants
Schedule
Day 1
- Morning: Browser Internals and Fuzzing Basics (Module 1)
- Afternoon: Fuzzing DOM & Rendering Engines (Module 2)
Day 2
- Morning: Fuzzing DOM & Rendering Engines (Module 2)
- Afternoon: Fuzzing JavaScript Engines & JIT Compilers (Module 3)
Day 3
- Morning: Fuzzing JavaScript Engines & JIT Compilers (Module 3)
- Afternoon: Fuzzing WebAssembly Compilers & APIs (Module 4)
Day 4
- Morning: Fuzzing WebAssembly Compilers & APIs (Module 4)
- Afternoon: Fuzzing IPC and Other Components (Module 5)
Your Instructors
Patrick Ventuzelo
Patrick Ventuzelo is a senior security researcher, CEO & founder of Fuzzinglabs. After working for the French Ministry of Defense, he specialized in fuzzing, vulnerability research, and reverse engineering. Over the years, Patrick has created multiple fuzzers, found hundreds of bugs, and published various blog posts/videos/tools on topics like Rust, Go, Blockchain, WebAssembly, and Browser security. Patrick is a regular speaker and trainer at various security conferences around the globe, including BlackHat USA, OffensiveCon, REcon, RingZer0, PoC, ToorCon, hack.lu, NorthSec, SSTIC, and others.
Topics Covered
Module 1: Introduction to Browser Fuzzing
- Introduction to Fuzzing
- Modern Browser Architecture & major Components
- Setting up a Testing and Debugging environment
- Compile and Explore famous browser codebases
- Fuzzing Web Browsers Fundamentals
- Improving your Fuzzing Workflow & Automation
Module 2: Fuzzing DOM & Rendering engines
- Introduction to the Rendering engine
- HTML/CSS/XML Parsing
- Analysis of existing CVEs, Issues, and PoCs
- Blink, Gecko & WebKit Fuzzing
- DOM rendering & Implementation
- Fuzzing DOM using Grammar-based Fuzzing
Module 3: Fuzzing JavaScript Engines & JIT Compilers
- JavaScript Engine Internals & APIs
- Memory management and Garbage collection
- Analysis of existing CVEs, Issues, and PoCs
- V8, Spidermonkey & JavaScriptCore Fuzzing
- JIT compilers Internals
- TurboFan and IonMonkey Fuzzing
Module 4: Fuzzing WebAssembly Compilers & APIs
- Introduction to WebAssembly
- VM Architecture & Implementation
- Analysis of existing CVEs, Issues, and PoCs
- Fuzzing WebAssembly JavaScript APIs
- WebAssembly compilers internals
- WebAssembly In-process Fuzzing
Module 5: Fuzzing IPC and other Components
- Inter-Process Communication (IPC) Internals
- Analysis of existing CVEs, Issues, and PoCs
- Fuzzing Chrome Mojo/Legacy IPC
- Discovery of other Components Implementation
- Networking/Data Persistence APIs
- Fuzzing Media and other Plugins
Prerequisites and requirements
- Familiarity with scripting (Python, Bash) and Linux.
- Familiarity with C/C++ and JavaScript.
- A working laptop capable of running virtual machines
- 8GB RAM required, at a minimum
- 80 GB free Hard disk space
- VirtualBox
- Administrator/root access MANDATORY
About Us
Founded in 2021 and headquartered in Paris, FuzzingLabs is a cybersecurity startup specializing in vulnerability research, fuzzing, and blockchain security. We combine cutting-edge research with hands-on expertise to secure some of the most critical components in the blockchain ecosystem.
Contact us for an audit or long term partnership!
