Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/cezary-sec/awesome-browser-security

A curated list of awesome browser security learning material.
https://github.com/cezary-sec/awesome-browser-security
List: awesome-browser-security
Last synced: 3 months ago
JSON representation
A curated list of awesome browser security learning material.
Host: GitHub
URL: https://github.com/cezary-sec/awesome-browser-security
Owner: cezary-sec
License: cc0-1.0
Created: 2022-07-16T15:57:27.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-11-20T10:12:27.000Z (almost 2 years ago)
Last Synced: 2024-08-09T17:27:09.959Z (3 months ago)
Size: 54.7 KB
Stars: 126
Watchers: 6
Forks: 13
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project

ultimate-awesome - awesome-browser-security - A curated list of awesome browser security learning material. . (Other Lists / PowerShell Lists)
README

        # Awesome browser security

A curated list of awesome browser security learning material. 

## 0. Scoping philosophy

The overarching goal of this document is to provide a list of materials to consume to get a good understanding of browser security. 

Contributions are welcome. Please file one PR per change. 

### In scope

* Security of the browser product. 

* Web security issues involving a browser. 

### Out of scope

* Web privacy issues. 

* Server-side web security issues. 

### Preferred sources

* High-quality, in-depth introductory materials. 

* Source materials. 

* Important research papers. 

* Docs available online for free. 

## 1. General introductions

_Good starting points._

* [Chromium security website](https://www.chromium.org/Home/chromium-security/) - lots of useful documents that will paint you a good picture of this highly nuanced domain. 

* [Chrome University](https://www.youtube.com/watch?v=kNzoswFIU9M&list=PLNYkxOF6rcICgS7eFJrGDhMBwWtdTgzpx) (2019) - YT playlist of introductory talks on various aspects of Chromium development. Talks on security, browser's anatomy, mojo, and browser's process are must-have. 

* [Web Browser Engineering](https://browser.engineering/) by [Pavel Panchekha](https://pavpanchekha.com/) & [Chris Harrelson](https://twitter.com/chrishtr). 

* [High Performance Browser Networking](https://hpbn.co/) (2013) by [Ilya Grigorik](https://twitter.com/igrigorik) - free book on browser networking. 

* _The Tangled Web_ (2011) by [Michal Zalewski](https://twitter.com/lcamtuf) - a bit dated, but still mostly relevant. 

* _The Web Application Hacker's Handbook_ (2011) by Dafydd Stuttard - dated, but interesting. 

### Architecture

_How browser's architecture supports security._

* [The Security Architecture of the Chromium Browser](https://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf) (2008). 

* [Mojo](https://chromium.googlesource.com/chromium/src.git/+/master/mojo/README.md). 

### Security assessments

_Publicly available security assessments of browsers._

* [Cure53 Browser Security White Paper](https://cure53.de/browser-security-whitepaper.pdf) (2017) by [Cure53](https://cure53.de/). 

* [X41 Browser Security White Paper](https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf) (2017) by [X41 D-Sec](https://x41-dsec.de/). 

### Key concepts

_Formal definitions, known issues, state-of-the-art._

* [Public Suffix List (PSL)](https://publicsuffix.org/learn/) - what PSL is and what are its known use cases. 

* [Public Suffix List Problems](https://github.com/sleevi/psl-problems) (2019) by [Ryan Sleevi](https://twitter.com/sleevi_) - excellent article on why PSL should be discontinued. 

* [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, DOI 10.17487/RFC6454, December 2011, .

* [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, DOI 10.17487/RFC6265, April 2011, .

* [RFC6265bis] Chen, L., Englehardt, S., West, M., Wilander, J., "Cookies: HTTP State Management Mechanism", . 

* [HTTP State Tokens](https://mikewest.github.io/http-state-tokens/draft-west-http-state-tokens.html) - interesting statement on the tragedy of cookies and how it could be solved. 

## 2. Security challenges and corresponding mitigations

### Memory safety

_Root cause for ~70% of browser's bugs_. 

* [Introduction to Chromium's memory safety](https://www.chromium.org/Home/chromium-security/memory-safety/). 

* [V8 Sandbox - External Pointer Sandboxing](https://docs.google.com/document/d/1V3sxltuFjjhp_6grGHgfqZNK57qfzGzme0QTk0IXDHk/edit#heading=h.xzptrog8pyxf) (2022)  - new hardening measures for V8. 

* [MiraclePtr One Pager](https://docs.google.com/document/d/1pnnOAIz_DMWDI4oIOFoMAqLnf_MZ2GsrJNb_dbQ3ZBg/edit) (2021). 

* [MiraclePtr The UaF Slayer [BlinkOn 16]](https://www.youtube.com/watch?v=WhI1NWbGvpE) (2022). 

* [PartitionAlloc Design](https://chromium.googlesource.com/chromium/src/+/master/base/allocator/partition_allocator/PartitionAlloc.md). 

* [Experimenting with Rust in Chromium](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/rust-toolchain.md). 

* [Retrofitting Temporal Memory Safety on C++](https://security.googleblog.com/2022/05/retrofitting-temporal-memory-safety-on-c.html) (2022). 

### Spectre

_How Spectre affected browser's security._ 

* Chromium's [Post-Spectre Threat Model Re-Think](https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md). 

* [What Spectre and Meltdown Mean For WebKit](https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/) by [Filip Pizlo](https://twitter.com/filpizlo). 

* [Post-Spectre Web Development](https://www.w3.org/TR/post-spectre-webdev/), W3C First Public Working Draft, 16 March 2021. 

* [A Spectre-shaped Web](https://docs.google.com/presentation/d/1sadl7jTrBIECCanuqSrNndnDr82NGW1yyuXFT1Dc7SQ/edit#slide=id.p) by [Anne van Kesteren](https://twitter.com/annevk). 

* [CORB](https://www.chromium.org/Home/chromium-security/corb-for-developers/). 

### Transport security

_Mitigating active and passive network attackers._

* [Certificate Transparency in Google Chrome: Past, Present, and Future](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9592820) (2021). 

* [Mixed content](https://www.w3.org/TR/mixed-content/), W3C Candidate Recommendation Draft, 4 October 2021. 

* [Subresource Integrity](https://www.w3.org/TR/SRI/), W3C Recommendation 23 June 2016. 

* [Upgrade Insecure Requests](https://www.w3.org/TR/upgrade-insecure-requests/), W3C Candidate Recommendation, 8 October 2015. 

### Cross Site Scripting (XSS)

_Attacks on the integrity of JavaScript code._

* [Cross-site scripting](https://portswigger.net/web-security/cross-site-scripting) - good introduction to the problem. 

* [Content Security Policy 1.0](https://www.w3.org/TR/CSP1/), W3C Working Group Note 19 February 2015. 

* [Content Security Policy Level 2](https://www.w3.org/TR/CSP2/), W3C Recommendation, 15 December 2016. 

* [Trusted Types](https://w3c.github.io/webappsec-trusted-types/dist/spec/), Editor’s Draft, 1 June 2022. 

* [HTML Sanitizer API](https://wicg.github.io/sanitizer-api/), Draft Community Group Report, 13 July 2022. 

### Cross Site Request Forgery (CSRF)

_Abusing cookie-based session management to forge requests._

* [Cross-site request forgery (CSRF)](https://portswigger.net/web-security/csrf) - good introduction to the problem. 

* [RFC6265bis] Chen, L., Englehardt, S., West, M., Wilander, J., "Cookies: HTTP State Management Mechanism",  - particularly section on SameSite attribute. 

### Cross Site Leaks (XS-Leaks)

_Using side channels to leak bits of data cross-site._

* [xsleaks.dev](https://xsleaks.dev) - one stop shop for XS-Leaks. 

* [COOP and COEP sections in the HTML Living Standard](https://html.spec.whatwg.org/multipage/origin.html). 

* [XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers](https://xsinator.com/paper.pdf). 

* [Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript](https://gruss.cc/files/fantastictimers.pdf). 

### Extensions

_Security of the extension ecosystem._

* [An Evaluation of the Google Chrome Extension Security Architecture](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final177_0.pdf) (2012). 

* [Cursed Chrome](https://github.com/mandatoryprogrammer/CursedChrome) - a Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies. By using the proxies this tool creates you can browse the web authenticated as your victim for all of their websites. 

### URL bar security

_Users must know which website is displayed._

* [Internationalized Domain Names (IDN) in Google Chrome](https://chromium.googlesource.com/chromium/src/+/main/docs/idn.md). 

### Private Network Access

_Abusing browsers to attack private networks._

* [Private Network Access](https://wicg.github.io/private-network-access/), Draft Community Group Report, 23 February 2022. 

* [How to win at CORS](https://jakearchibald.com/2021/cors/) (2021) by [Jake Archibald](https://twitter.com/jaffathecake). 

## 3. Attacks on browsers 

_Fuzzing and browser exploitation._

* [Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals](https://jhalon.github.io/chrome-browser-exploitation-1/) (2022) by [Jack Halon](https://twitter.com/jack_halon). 

* [Chrome Browser Exploitation, Part 2: Introduction to Ignition, Sparkplug and JIT Compilation via TurboFan](https://jhalon.github.io/chrome-browser-exploitation-2/) (2022) by [Jack Halon](https://twitter.com/jack_halon). 

* [OffensiveCon22 - Samuel Gross and Amanda Burnett - Attacking JavaScript Engines in 2022](https://www.youtube.com/watch?v=FK2-1FAbbXA) (2022). 

* [Browser security YT playlist](https://www.youtube.com/playlist?list=PLa-iO6ehPFJhcRggmOu5kUv60vqF9CDOk) by Fuzzing Labs - [Patrick Ventuzelo](https://twitter.com/Pat_Ventuzelo). 

* [In-the-Wild Series: Chrome Exploits](https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-exploits.html) (2021) by Sergei Glazunov. 

* [Awesome browser exploit](https://github.com/Escapingbug/awesome-browser-exploit) (last update 2020) - collection of various materials on browser exploitation. 

## 4. Misc

* Series on the history of front-end security. [Part 1. The Same Origin Policy](https://www.youtube.com/watch?v=bSJm8-zJTzQ), [Part 2. The Three JavaScript Hacking Legends](https://www.youtube.com/watch?v=VtcA58555lY), [Part 3. The Age of Universal XSS](https://www.youtube.com/watch?v=gVblb-QhZa4) by [LiveOverflow](https://twitter.com/LiveOverflow). 

* [Web Application Security Working Group's repo](https://github.com/w3c/webappsec). 

* [Browser security research](https://github.com/security-prince/Browser-Security-Research/). 

## 5. Contributors

* [Diego Porras](https://www.linkedin.com/in/daporras/). 

* Łukasz Bendig.