Training: Practical Web Browser Fuzzing
by Patrick Ventuzelo
Web Browsers are one of the most used and critical software in the world. Using millions of lines of code, they are in charge of handling, sanitizing, and interpreting all kinds of (untrusted) data coming from the web. To be honest, It’s just impossible for developers to write such complex pieces of software (involving compilers, interpreters, and parsing libraries) without introducing any bugs.
Â
As shown in the last years, Fuzz testing is by far the most efficient and scalable testing technique to find software bugs. In this training, we will apply fuzzing to find critical vulnerabilities in different web browser implementations.
Â
First, this course will give you all the prerequisites to understand the architecture and major components of modern web browsers. Then, you will create and set up a testing environment allowing you to easily replay, debug, minimize and analyze existing issues, CVEs, and PoCs.
Â
Over dedicated modules, you will discover and fuzz the main browser components such as DOM, JS engines, JIT compilers, WebAssembly, IPC. You will learn how to use famous tools (Domato, Dharma, Fuzzilli, Frida) and create your custom fuzzers to apply different fuzzing techniques (coverage-guided, grammar-based, in-process fuzzing) to find vulnerabilities/bugs.
Â
 A lot of hands-on exercises will allow you to internalize concepts and techniques taught in class. This course will mainly focus on Google Chrome, Firefox, and WebKit/JSC.
KEY LEARNING OBJECTIVES
– Discover the architecture and components of modern web browsers
–Â Learn how to create a testing environment for browser fuzzing
–Â Analyze existing CVEs, issues, and PoCs to learn from other researchers
–Â Discover how to use and customize the most famous browser fuzzing tools
– Learn how to replay, minimize and analyze crashes
–Â Learn how to apply different fuzzing techniques against browser components
Â
WHO SHOULD ATTEND
This training is
designed for vulnerability researchers and anyone who wants to, learn more
about web browser internals, discover different fuzzing techniques and find bugs in critical software.
COURSE TOPICS
MODULE 1:INTRODUCTION TO BROWSER FUZZINGÂ
- Introduction to Fuzzing
- Modern Browser Architecture & major Components
- Setting up a Testing and Debugging environment
- Compile and Explore famous browser codebases
- Fuzzing Web Browsers Fundamentals
- Improving your Fuzzing Workflow & Automation
MODULE 2: FUZZING DOM & RENDERING ENGINESÂ
- Introduction to the Rendering engine
- HTML/CSS/SVG Parsing
- Analysis of existing CVEs, Issues, and PoCs
- Blink, Gecko & WebKit Fuzzing
- DOM rendering & Implementation
- Fuzzing DOM using Grammar-based Fuzzing
MODULE 3: FUZZING JAVASCRIPT ENGINES & JIT COMPILERSÂ
- JavaScript Engine Internals & APIs
- Memory management and Garbage collection
- Analysis of existing CVEs, Issues, and PoCs
- V8, Spidermonkey & JavaScriptCore Fuzzing
- JIT compilers Internals
- TurboFan and IonMonkey Fuzzing
MODULE 4: FUZZING WEBASSEMBLY COMPILERS & APIsÂ
- Introduction to WebAssembly
- VM Architecture & Implementation
- Analysis of existing CVEs, Issues, and PoCs
- Fuzzing WebAssembly JavaScript APIs
- WebAssembly compilers internals
- WebAssembly In-process Fuzzing
MODULE 5: FUZZING IPC AND OTHER COMPONENTSÂ
- Inter-Process Communication (IPC) Internals
- Analysis of existing CVEs, Issues, and PoCs
- Fuzzing Firefox and Chrome Mojo/Legacy IPC
- Discovery of other Components Implementation
- Networking/Data Persistence APIs
- Fuzzing Media and other Plugins
PREREQUISITES
Familiarity with scripting (Python, Bash) and Linux. Familiarity with C/C++ and JavaScript.
SKILL LEVEL: BEGINNER / INTERMEDIATE
LAPTOP REQUIREMENTS
A working laptop capable of running virtual machines 8GB RAM required, at a minimum
80 GB free Hard disk space VirtualBox
Administrator/root access MANDATORY
BIO
Patrick Ventuzelo is a senior security researcher and the founder of Fuzzinglabs. After working for the French Ministry of Defense, he specialized in fuzzing, vulnerability research, and reverse engineering. Over the years, Patrick has found hundreds of bugs and published various blog posts/videos/tools on topics like Rust, Go, Blockchain, WebAssembly, and Browser security. Patrick is a regular speaker and trainer at various security conferences around the globe, including OffensiveCon, REcon, RingZer0, ToorCon, hack.lu, NorthSec, SSTIC, and others.