Practical Web Browser Fuzzing

IN-PERSON 4 DAYS TRAINING: AUGUST 2023

Patrick Ventuzelo

Abstract

Web Browsers are one of the world's most used and critical software. Using millions of lines of code, they handle, sanitize, and interpret all kinds of (untrusted) data from the web. To be honest, It’s impossible for developers to write such complex pieces of software (involving compilers, interpreters, and parsing libraries) without introducing any bugs.

As shown in the last years, fuzz testing is the most efficient and scalable testing technique to find software bugs. In this training, we will apply fuzzing to find critical vulnerabilities in different web browser implementations.

First, this course will give you all the prerequisites to understand modern web browsers' architecture and significant components. Then, you will create and set up a testing environment allowing you to easily replay, debug, minimize and analyze existing issues, CVEs, and PoCs. Over dedicated modules, you will discover and fuzz the main browser components such as DOM, JS engines, JIT compilers, WebAssembly, and IPC. You will learn how to use famous tools (Honggfuzz, Domato, Dharma, Fuzzilli, Afl++) and create your custom fuzzers to apply different fuzzing techniques (coverage-guided, grammar-based, in-process fuzzing) to find vulnerabilities/bugs.

A lot of hands-on exercises will allow you to internalize concepts and techniques taught in class. This course will mainly focus on Google Chrome, Firefox, and WebKit/JSC.

Key Learning Objectives

  • Discover the architecture and components of modern web browsers.
  • Learn how to create a testing environment for browser fuzzing.
  • Analyze existing CVEs, issues, and PoCs to learn from other researchers.
  • Discover how to use and customize the most famous browser fuzzing tools.
  • Learn how to replay, minimize and analyze crashes.
  • Learn how to apply different fuzzing techniques against browser components.

Who Should Attend

This training is designed for security engineers, vulnerability researchers, bug bounty hunters, and anyone who wants to learn more about web browser internals and discover how to find critical bugs using different fuzzing techniques.

Course Topics

Module 1: Introduction to Browser Fuzzing

  • Introduction to Fuzzing
  • Modern Browser Architecture and major Components
  • Setting up a Testing and Debugging environment
  • Compile and Explore famous browser codebases
  • Fuzzing Web Browsers Fundamentals
  • Improving your Fuzzing Workflow and Automation

Module 2: Fuzzing DOM and Rendering engines

  • Introduction to the Rendering engine
  • HTML/CSS/XML Parsing
  • Analysis of existing CVEs, Issues, and PoCs
  • Blink, Gecko and WebKit Fuzzing
  • DOM rendering and Implementation
  • Fuzzing DOM using Grammar-based Fuzzing

Module 3: Fuzzing JavaScript Engines and JIT Compilers

  • JavaScript Engine Internals and APIs
  • Memory management and Garbage collection
  • Analysis of existing CVEs, Issues, and PoCs
  • V8, Spidermonkey and JavaScriptCore Fuzzing
  • JIT compilers Internals
  • TurboFan and IonMonkey Fuzzing

Module 4: Fuzzing WebAssembly Compilers and APIs

  • Introduction to WebAssembly
  • VM Architecture and Implementation
  • Analysis of existing CVEs, Issues, and PoCs
  • Fuzzing WebAssembly JavaScript APIs
  • WebAssembly compilers internals
  • WebAssembly In-process Fuzzing

Module 5: Fuzzing IPC and other Components

  • Inter-Process Communication (IPC) Internals
  • Analysis of existing CVEs, Issues, and PoCs
  • Fuzzing Chrome Mojo/Legacy IPC
  • Discovery of other Components Implementation
  • Networking/Data Persistence APIs
  • Fuzzing Media and other Plugins

Prerequisites

  • Familiarity with scripting (Python, Bash) and Linux.
  • Familiarity with C/C++ and JavaScript.
  • SKILL LEVEL: BEGINNER / INTERMEDIATE

Laptop Requirements

  • A working laptop capable of running x86-64 virtual machines
  • 8GB RAM required, at a minimum
  • 80 GB free Hard disk space
  • VirtualBox
  • Administrator/root access MANDATORY