浏览器安全
Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463
Welcome to the third and final installment of the “Chrome Browser Exploitation” series. The main objective of this series has been to provide an in...
独家揭秘通过泄露Sentinel Value绕过Chrome v8 HardenProtect
前言Sentinel value(又名flag value/trip value/rogue value/signal value/dummy data)是算法中的一个特殊值,通常在循环或递归算法中作为终止条件的特殊值存...
陌陌安全获Apple致谢:CVE-2022-42837 - iTunes Store 之殇
先为我们的同学@dwj1210鼓鼓掌👏。作为围观了整个漏洞从发现到最终形成本篇文章的同学。小编前面先说一句:本次漏洞发现非常巧合,前些天给WMCTF出题的时候,d...
Exploring Chrome’s CVE-2020-6418 – Part1
Introduction: Chrome vulnerabilities have been quite a hot topic for the past couple of years. A lot of vulnerabilities where caught being exploite...
CVE-2022-41128: Type confusion in Internet Explorer's JScript9 engine
Benoît Sevens and Clément Lecigne, Google's Threat Analysis Group (TAG) The Basics Disclosure Date: 8 November 2022 Product: Microsoft Windows Ad...
APPLE SAFARI JAVASCRIPTCORE INSPECTOR TYPE CONFUSION
Summary A Type confusion vulnerability exists in the Apple Safari JSC Inspector. This issue causes Memory Corruption due to Type confusion. A vict...
WebUI:The easiest attack surface in Chromes
“WebUI “是一个术语,用于宽泛地描述用网络技术(即HTML、CSS、JavaScript)实现的Chrome浏览器的部分UI。 Chromium中的WebUI的例子。 Settings (chrome:...
2358 - Chrome: heap-use-after-free in blink::LocalFrameView::PerformLayout (incomplete fix for CVE-2022-3199) - project-zero
if (!LayoutFromRootObject(*root)) // *** 3 *** continue; if (should_rebuild_fragments) cb->RebuildFragmentTreeSpine(); // We need to ensur...
Chrome renderer RCE CVE-2022-1134
#Chrome renderer RCE CVE-2022-1134 The write up can be found here. This is a bug in the v8 that I reported in March 2022. This bug allows RCE in th...
Chrome Browser Exploitation, Part 2: Introduction to Ignition, Sparkplug and JIT Compilation via TurboFan
In my previous post “Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals”, we took our first deep dive into the world ...