{"id":6528,"url":"https://github.com/escapingbug/awesome-browser-exploit","name":"awesome-browser-exploit","description":"awesome list of browser exploitation tutorials","projects_count":79,"last_synced_at":"2026-04-03T10:00:23.517Z","repository":{"id":37493175,"uuid":"134539713","full_name":"Escapingbug/awesome-browser-exploit","owner":"Escapingbug","description":"awesome list of browser exploitation tutorials","archived":false,"fork":false,"pushed_at":"2023-09-18T01:55:10.000Z","size":47,"stargazers_count":2262,"open_issues_count":0,"forks_count":304,"subscribers_count":76,"default_branch":"master","last_synced_at":"2026-02-21T14:07:15.223Z","etag":null,"topics":["awesome","awesome-list","browser-exploitation"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Escapingbug.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-05-23T08:42:15.000Z","updated_at":"2026-02-20T19:57:05.000Z","dependencies_parsed_at":"2024-01-11T14:25:58.184Z","dependency_job_id":null,"html_url":"https://github.com/Escapingbug/awesome-browser-exploit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Escapingbug/awesome-browser-exploit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Escapingbug%2Fawesome-browser-exploit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Escapingbug%2Fawesome-browser-exploit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Escapingbug%2Fawesome-browser-exploit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Escapingbug%2Fawesome-browser-exploit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Escapingbug","download_url":"https://codeload.github.com/Escapingbug/awesome-browser-exploit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Escapingbug%2Fawesome-browser-exploit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30168587,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-06T07:56:45.623Z","status":"ssl_error","status_checked_at":"2026-03-06T07:55:55.621Z","response_time":250,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"readme":"# awesome-browser-exploit\nShare some useful archives about browser exploitation.\n\nI'm just starting to collect what I can found, and I'm only a starter in this area\nas well. Contributions are welcome.\n\n# Chrome v8\n## Basic\n* [v8 github mirror(docs within)](https://github.com/v8/v8)[github]\n* [on-stack replacement in v8](http://wingolog.org/archives/2011/06/20/on-stack-replacement-in-v8)[article] // multiple articles can be found within\n* [A tour of V8: Garbage Collection](http://www.jayconrod.com/posts/55/a-tour-of-v8-garbage-collection)[article]\n* [A tour of V8: object representation](http://www.jayconrod.com/posts/52/a-tour-of-v8-object-representation)[article]\n* [v8 fast properties](https://v8project.blogspot.com/2017/08/fast-properties.html)[article]\n* [learning v8](https://github.com/danbev/learning-v8)[github]\n* [Intro to Chrome’s V8 from an exploit development angle](https://sensepost.com/blog/2020/intro-to-chromes-v8-from-an-exploit-development-angle/)[article]\n* [Introduction to TurboFan](https://doar-e.github.io/blog/2019/01/28/introduction-to-turbofan/)[article]\n* [V8 / Chrome Architecture Reading List - For Vulnerability Researchers](https://zon8.re/posts/v8-chrome-architecture-reading-list-for-vulnerability-researchers/)\n\n## Writeup and Exploit Tech\n* [Getting into Browser Exploitation - Recreating Safari Wekit Exploit](https://www.youtube.com/playlist?list=PLhixgUqwRTjwufDsT1ntgOY9yjZgg5H_t)[video]\n* [Mobile Pwn2Own Autumn 2013 - Chrome on Android - Exploit Writeup](https://docs.google.com/document/d/1tHElG04AJR5OR2Ex-m_Jsmc8S5fAbRB3s4RmTG_PFnw/edit)[article]\n* [Exploiting a V8 OOB write](https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/)[article]\n* [Pointer Compression in V8](https://blog.infosectcbr.com.au/2020/02/pointer-compression-in-v8.html)[article]\n* [Exploiting the Math.expm1 typing bug in V8](https://abiondo.me/2019/01/02/exploiting-math-expm1-v8/)[article]\n* [Exploiting an Accidentally Discovered V8 RCE](https://zon8.re/posts/exploiting-an-accidentally-discovered-v8-rce/)\n* [Escaping the Chrome Sandbox via an IndexedDB Race Condition](https://labs.bluefrostsecurity.de/blog/2019/08/08/escaping-the-chrome-sandbox-via-an-indexeddb-race-condition/)[article]\n* [Exploiting CVE-2020-0041 - Part 1: Escaping the Chrome Sandbox](https://labs.bluefrostsecurity.de/blog/2020/03/31/cve-2020-0041-part-1-sandbox-escape/)[article]\n* [Cleanly Escaping the Chrome Sandbox](https://theori.io/research/escaping-chrome-sandbox)[article]\n* [Escaping the Chrome Sandbox with RIDL](https://googleprojectzero.blogspot.com/2020/02/escaping-chrome-sandbox-with-ridl.html)[article]\n* [You Won't Believe what this One Line Change Did to the Chrome Sandbox](https://googleprojectzero.blogspot.com/2020/04/you-wont-believe-what-this-one-line.html)[article]\n\n# IE\n## Basic\n* [Microsoft Edge MemGC Internals](https://hitcon.org/2015/CMT/download/day2-h-r1.pdf)[slides]\n* [The ECMA and the Chakra]( http://conference.hitb.org/hitbsecconf2017ams/materials/CLOSING%20KEYNOTE%20-%20Natalie%20Silvanovich%20-%20The%20ECMA%20and%20The%20Chakra.pdf)[slides]\n\n## Writeup and Exploit Tech\n* [2012 - Memory Corruption Exploitation In Internet Explorer](https://www.syscan360.org/slides/2012_ZH_MemoryCorruptionExploitationInInternetExplorer_MotiJoseph.pdf)[slides]\n* [2013 - IE 0day Analysis And Exploit](http://vdisk.weibo.com/s/dC_SSJ6Fvb71i)[slides]\n* [2014 - Write Once, Pwn Anywhere](https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf)[slides]\n* [2014 - The Art of Leaks: The Return of Heap Feng Shui](https://cansecwest.com/slides/2014/The%20Art%20of%20Leaks%20-%20read%20version%20-%20Yoyo.pdf)[slides]\n* [2014 - IE 11 0day \u0026 Windows 8.1 Exploit](https://github.com/exp-sky/HitCon-2014-IE-11-0day-Windows-8.1-Exploit/blob/master/IE%2011%200day%20%26%20Windows%208.1%20Exploit.pdf)[slides]\n* [2014 - IE11 Sandbox Escapes Presentation](https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf)[slides]\n* [2015 - Spartan 0day \u0026 Exploit](https://github.com/exp-sky/HitCon-2015-spartan-0day-exploit)[slides]\n* [2015 - 浏览器漏洞攻防对抗的艺术 Art of browser Vulnerability attack and defense (Chinese)](http://www.secseeds.com/holes/yishufenxi.pdf)[slides]\n* [2016 - Look Mom, I don't use Shellcode](https://www.syscan360.org/slides/2016_SH_Moritz_Jodeit_Look_Mom_I_Dont_Use_Shellcode.pdf)[slides]\n* [2016 - Windows 10 x64 edge 0day and exploit](https://github.com/exp-sky/HitCon-2016-Windows-10-x64-edge-0day-and-exploit/blob/master/Windows%2010%20x64%20edge%200day%20and%20exploit.pdf)[slides]\n* [2017 - 1-Day Browser \u0026 Kernel Exploitation](http://powerofcommunity.net/poc2017/andrew.pdf)[slides]\n* [2017 - The Secret of ChakraCore: 10 Ways to Go Beyond the Edge](http://conference.hitb.org/hitbsecconf2017ams/materials/D1T2%20-%20Linan%20Hao%20and%20Long%20Liu%20-%20The%20Secret%20of%20ChakraCore.pdf)[slides]\n* [2017 - From Out of Memory to Remote Code Executio](https://speakerd.s3.amazonaws.com/presentations/c0a3e7bc0dca407cbafb465828ff204a/From_Out_of_Memory_to_Remote_Code_Execution_Yuki_Chen_PacSec2017_final.pdf)[slides]\n* [2018 - Edge Inline Segment Use After Free (Chinese)](https://blogs.projectmoon.pw/2018/09/15/Edge-Inline-Segment-Use-After-Free/)\n\n## Mitigation\n* [2017 - CROSS THE WALL-BYPASS ALL MODERN MITIGATIONS OF MICROSOFT EDGE](https://www.blackhat.com/docs/asia-17/materials/asia-17-Li-Cross-The-Wall-Bypass-All-Modern-Mitigations-Of-Microsoft-Edge.pdf)[slides]\n* [Browser security mitigations against memory corruption vulnerabilities](https://docs.google.com/document/d/19dspgrz35VoJwdWOboENZvccTSGudjQ_p8J4OPsYztM/edit)[references]\n* [Browsers and app specific security mitigation (Russian) part 1](https://habr.com/company/dsec/blog/310676/)[article]\n* [Browsers and app specific security mitigation (Russian) part 2](https://habr.com/company/dsec/blog/311616/)[article]\n* [Browsers and app specific security mitigation (Russian) part 3](https://habr.com/company/dsec/blog/319234/)[article]\n\n# JSC\n## Basic\n* [JSC loves ES6](https://webkit.org/blog/7536/jsc-loves-es6/)[article] // multiple articles can be found within\n* [JavaScriptCore, the WebKit JS implementation](http://wingolog.org/archives/2011/10/28/javascriptcore-the-webkit-js-implementation)[article]\n* [saelo's Pwn2Own 2018 Safari + macOS](https://github.com/saelo/pwn2own2018)[exploit]\n* [WebKit \u0026 JSC Architecture Reading List - For Vulnerability Researchers](https://zon8.re/posts/jsc-architecture-reading-list-for-vulnerability-researchers/)\n\n## Writeup and Exploit Tech\n* [Attacking WebKit Applications by exploiting memory corruption bugs](https://docplayer.net/19835745-Attacking-webkit-applications-by-exploiting-memory-corruption-bugs-liang-chen-keenteam-chenliang0817.html)[slides]\n* [Vulnerability Discovery Against Apple Safari](https://blog.ret2.io/2018/06/13/pwn2own-2018-vulnerability-discovery/)[article]\n* [A Methodical Approach to Browser Exploitation - six part blog](https://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/)[article]\n* [Adventures on Hunting for Safari Sandbox Escapes](https://www.youtube.com/watch?v=fTNzylTMYks)[video]\n* [JITSploitation I: A JIT Bug](https://googleprojectzero.blogspot.com/)[article]\n* [JITSploitation II: Getting Read/Write](https://googleprojectzero.blogspot.com/2020/09/jitsploitation-two.html)[article]\n* [JITSploitation III: Subverting Control Flow](https://googleprojectzero.blogspot.com/2020/09/jitsploitation-three.html)[article]\n\n\n# Firefox\n## Basic\n* [SpiderMonkey Internals](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Internals)[article]\n* [JavaScript:New to SpiderMonkey](https://wiki.mozilla.org/JavaScript:New_to_SpiderMonkey)[article]\n\n## Writeup and Exploit Tech\n* [CVE-2018-5129: Out-of-bounds write with malformed IPC messages](https://infinite.loopsec.com.au/cve-2018-5129-how-i-found-my-first-cve)[article]\n* [Firefox Spidermonkey JS Engine Exploitation](https://blog.infosectcbr.com.au/2020/01/firefox-spidermonkey-js-engine.html)[article]\n\n# Misc\n## Browser Basic\n* [Sea of Nodes](https://darksi.de/d.sea-of-nodes/)[articles] // multiple articles can be found within\n* [LiveOverflow Browser Exploit Series](https://liveoverflow.com/tag/browser-exploitation/)[articles]\n* [Demystifying Browsers](https://textslashplain.com/2020/02/09/demystifying-browsers/)[articles]\n\n## Fuzzing\n* [The Power-Of Pair](https://www.blackhat.com/docs/eu-14/materials/eu-14-Lu-The-Power-Of-Pair-One-Template-That-Reveals-100-plus-UAF-IE-Vulnerabilities.pdf)[slides]\n* [Browser Fuzzing](https://www.syscan360.org/slides/2014_ZH_BrowserFuzzing_RosarioValotta.pdf)[slides]\n* [Taking Browsers Fuzzing To The Next (DOM) Level](https://docs.google.com/viewer?a=v\u0026pid=sites\u0026srcid=ZGVmYXVsdGRvbWFpbnx0ZW50YWNvbG92aW9sYXxneDo1MTgyOTgyYmUyYWY3MWQy)[slides]\n* [DOM fuzzer - domato](https://github.com/google/domato)[github]\n* [browser fuzzing framework - morph](https://github.com/walkerfuz/morph)[github]\n* [browser fuzzing and crash management framework - grinder](https://github.com/stephenfewer/grinder)[github]\n* [Browser Fuzzing with a Twist](http://2015.zeronights.org/assets/files/16-Brown.pdf)[slides]\n* [Browser fuzzing - peach](https://wiki.mozilla.org/Security/Fuzzing/Peach)[wiki]\n* [从零开始学Fuzzing系列：浏览器挖掘框架Morph诞生记 Learn Fuzzing from Very Start: the Birth of Browser Vulnerability Detection Framework Morph(Chinese)](https://www.freebuf.com/sectool/89001.html)[article]\n* [BROWSER FUZZING IN 2014:David vs Goliath](https://www.syscan360.org/slides/2014_EN_BrowserFuzzing_RosarioValotta.pdf)[slides]\n* [A Review of Fuzzing Tools and Methods](https://dl.packetstormsecurity.net/papers/general/a-review-of-fuzzing-tools-and-methods.pdf)[article]\n\n## Writeup and Exploit Tech\n* [it-sec catalog browser exploitation chapter](https://www.it-sec-catalog.info/browser_exploitation.html)[articles]\n* [2014 - Smashing The Browser: From Vulnerability Discovery To Exploit](https://hitcon.org/2014/downloads/P1_06_Chen%20Zhang%20-%20Smashing%20The%20Browser%20-%20From%20Vulnerability%20Discovery%20To%20Exploit.pdf)[slides]\n* [smash the browser](https://github.com/demi6od/Smashing_The_Browser)[github]\n\n## Collections\n* [uxss-db](https://github.com/Metnew/uxss-db)\n* [js-vuln-db](https://github.com/tunz/js-vuln-db)\n\n# Thanks\n* 0x9a82\n* [swing](https://github.com/WinMin)\n* [Metnew](https://github.com/Metnew)\n* [AlirezaChegini](https://github.com/AlirezaChegini)\n* [RobertLarsen](https://github.com/RobertLarsen)\n","created_at":"2024-01-07T06:38:14.114Z","updated_at":"2026-04-03T10:00:23.518Z","primary_language":null,"list_of_lists":false,"displayable":true,"categories":["Writeup and Exploit Tech","Basic","Mitigation","Browser Basic","Fuzzing","Collections"],"sub_categories":[],"projects_url":"https://awesome.ecosyste.ms/api/v1/lists/escapingbug%2Fawesome-browser-exploit/projects"}