Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
awesome-browser-security
A curated list of awesome browser security learning material.
https://github.com/cezary-sec/awesome-browser-security
Last synced: 3 days ago
JSON representation
-
1. General introductions
-
Preferred sources
- Chromium security website - lots of useful documents that will paint you a good picture of this highly nuanced domain.
- Chrome University - YT playlist of introductory talks on various aspects of Chromium development. Talks on security, browser's anatomy, mojo, and browser's process are must-have.
- Web Browser Engineering
- High Performance Browser Networking - free book on browser networking.
- Michal Zalewski - a bit dated, but still mostly relevant.
-
Architecture
-
Security assessments
- Cure53 Browser Security White Paper
- X41 Browser Security White Paper - Sec](https://x41-dsec.de/).
-
Key concepts
- Public Suffix List (PSL) - what PSL is and what are its known use cases.
- HTTP State Tokens - interesting statement on the tragedy of cookies and how it could be solved.
- Public Suffix List Problems - excellent article on why PSL should be discontinued.
-
-
2. Security challenges and corresponding mitigations
-
Memory safety
-
Spectre
-
Transport security
-
Cross Site Scripting (XSS)
- Cross-site scripting - good introduction to the problem.
- Content Security Policy 1.0
- Content Security Policy Level 2
- Trusted Types
- HTML Sanitizer API
-
Cross Site Request Forgery (CSRF)
- Cross-site request forgery (CSRF) - good introduction to the problem.
-
Cross Site Leaks (XS-Leaks)
-
Extensions
- An Evaluation of the Google Chrome Extension Security Architecture
- Cursed Chrome - a Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies. By using the proxies this tool creates you can browse the web authenticated as your victim for all of their websites.
-
URL bar security
-
Private Network Access
-
-
3. Attacks on browsers
-
Private Network Access
- Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals
- Chrome Browser Exploitation, Part 2: Introduction to Ignition, Sparkplug and JIT Compilation via TurboFan
- OffensiveCon22 - Samuel Gross and Amanda Burnett - Attacking JavaScript Engines in 2022
- Browser security YT playlist - [Patrick Ventuzelo](https://twitter.com/Pat_Ventuzelo).
- In-the-Wild Series: Chrome Exploits
- Browser security YT playlist - [Patrick Ventuzelo](https://twitter.com/Pat_Ventuzelo).
- Awesome browser exploit - collection of various materials on browser exploitation.
-
-
4. Misc
-
Private Network Access
- Part 1. The Same Origin Policy - QhZa4) by [LiveOverflow](https://twitter.com/LiveOverflow).
- Web Application Security Working Group's repo
- Browser security research
-
-
5. Contributors
-
Private Network Access
-
Programming Languages
Categories
Sub Categories