🦦
Otter's Notes
  • Introduction
  • Articles
    • Dumping data from the Microsoft Recall folder
    • Gaining persistence on Windows with Time Providers
    • Reverse engineering LSASS to decrypt DPAPI keys
    • Intro to Hypervisor Implants
    • In-depth Windows Telemetry
  • Notes
    • Active Directory
      • Active Directory Structure
      • Active Directory Terminology
      • Active Directory Objects
      • Active Directory Groups
      • Active Directory Functionality
      • Active Directory Protocols
      • Active Directory Rights and Privileges
      • Security in Active Directory
      • Users and Machine Accounts
      • NTLM
      • LDAP
      • Making a Target User List
      • Enumerating & Retrieving Password Policies
      • Enumerating Security Controls
      • Examining Group Policy
      • GPOs
      • LAPS
      • LLMNR & NBT-NS Poisoning
      • LOLBIN Enumeration
    • AAD
      • Useful Links
      • Overview of Azure & M365
      • Enumerate Users and Domains
      • Post-exploitation Reconnaissance
      • OAuth 2.0 Abuse
      • Abusing Device Code Authentication
      • Abusing Cloud Administrator Role
      • Abusing User Administrator Role
      • AAD Federated Backdoor
      • Service Principal Abuse
      • Compromising Azure Blobs and Storage Accounts
      • Malicious Device Join
      • Disabling Auditing (Unified Audit Logs)
      • Spoofing Azure Sign-In Logs
      • Registering Fake Agents for Log Spoofing
      • Pass the PRT
      • Pass the Cookie
      • Abusing Managed Identities
      • Virtual Machine Abuse
      • Attacking Key Vaults
    • Forest Trust Abuse
      • Parent-Child Trust Abuse
      • One-Way Inbound Trust Abuse
      • Foreign Group Membership
      • Foreign ACL Principals
      • SID History
      • SID Filter Bypass
      • Intra-Forest Attacks
        • Configuration Naming Context Replication
        • ADCS NC Replication Attack
        • GPO On-Site Attack
        • GoldenGMSA Attack
        • DNS Trust Attack
      • Cross-Forest Attacks
        • Trust Account Attack
        • Abusing SQL Linked Servers
        • Abusing PAM Trusts
    • Kerberos
      • Overview of Kerberos Authentication
      • Silver Tickets
      • Golden Tickets
      • Diamond Tickets
      • Kerberoasting
      • AS-REPRoasting
      • Resource-Based Constrained Delegation
      • Constrained Delegation
      • Unconstrained Delegation
      • S4U2Self & S4U2Proxy
      • Golden Certificates
    • DACL Abuse
      • DACL Overview
      • DACLs Enumeration
      • AddMembers
      • GPO Attacks
      • Granting Rights and Ownership
      • Logon Scripts
      • NoPAC
      • Password Abuse
      • SPN Jacking
      • Shadow Credentials
      • Targeted Kerberoasting
    • ADCS
      • Introduction to ADCS
      • ESC1
      • ESC2
      • ESC3
      • ESC4
      • ESC5
      • ESC6
      • ESC7
      • ESC8
      • ESC9
      • ESC10
      • ESC11
      • Certificate Mapping
    • PowerShell
      • PowerShell Basics
      • PowerShell Remoting
      • Alternate PowerShell Hosts
      • PowerShell Pipeline Runners
      • PowerShell Code Signing
      • Scriptblock Logging
      • PowerShell CLM
      • AMSI
      • PowerShell Reflection
      • WMI - Windows Management Instrumentation
      • Interfacing with AD
      • PowerShell Snippets
        • Bypass application whitelisting and CLM with runscripthelper and WMI
        • Create fake PowerShell logs
        • Enumerate AD ACLs
        • Enumerate WMI events
        • Enumerate Domain Trusts
        • Enumerate change metadata
        • Enumerate non-signed service binaries
        • Enumerate with GPOs
        • Find signed alternate PowerShell hosts
        • Get AMSI module
        • Group processes by user with WMI
        • Hide processes from Get-Process
        • Malware re-purposing with PowerShell reflection
        • Monitor PowerShell hosts with WMI
        • PowerShell reflection offensive use-case
        • Query PowerShell alternative hosts with WMI
        • Retrieve file certificate
        • Search LDAP for misconfigurations
        • Sign custom code with PowerShell
        • WMI service creation
        • Weak folder permission enumeration
    • AWS
      • AWS Organizations
      • AWS Principals
    • Binary Exploitation
      • Environment setup for Browser Exploitation
      • Browser Overview and Components
    • Kernel Development
      • Windows
        • Configuring a VM for driver development
Powered by GitBook
On this page
  1. Notes
  2. Binary Exploitation

Browser Overview and Components

PreviousEnvironment setup for Browser ExploitationNextKernel Development

Last updated 4 months ago

Browsers like Chrome and Safari are have an estimated user base of more than 3 billion monthly active users with Chrome being at ~60% of the user-base and Safari having ~17%.

Chrome uses the Blink Rendering Engine and V8 JS Engine while Safari relies on the Webkit Webcore Rendering Engine and JavaScriptCore JS Engine. These browser's complexity rivals the OS they run on with Chromium standing at 44 millions LOC and Webkit having around 32 millon.

So the question is: here do you even start to find bugs in software this big? To do it you need to brake it down into smaller parts.

Browser Stack

Browsers are built up on layered components

Browsers Processes

Browsers are separated into many processes with security boundaries; we can see them in programs like Task Manager or ps. If we do so we'll see that most processes have a --type=renderer flag which makes them a renderer process: these processes are in charge of processing, executing and displaying the requested web pages (which is why they are sometimes called Content Processes).

This makes the renderer processes the first target of a full-chain browser exploit and that's why they are sandboxes to help protect users from RCE.

In Chrome we can see a breakdown of the different kinds of processes

  • Main Browser processes

  • Tab processes

  • Extension processes

  • GPU processes

It's possible or tabs to share the same process.

The following is the general architecture browser processes follow

Web Standards & Specifications

  • ...

What WebIDL does is defining an API over browser components and convert them into C++ code before compiling, this makes it so components can include header files to interface and both Chrome and Safari can use WebIDL.

Safari

The Safari Browser wraps WebKit with some added OS X specifics.

Webkit originated from KHTML in 2001 within Apple

  • Open-sourced around 2005

  • Managed though SVN

Primary components are WebCore and JavaScriptCore

  • WebCore is the rendering engine

  • JavaScriptCore is the JavaScript engine

Chrome

Chrome uses the Chromium browser engine, released open-source in 2008 by Google.

Rendering engine called Blink

  • Originally used WebCore, forked to blink in 2013

JavaScript engine called V8

  • Originated with the first chrome version in 2008

W3C - ,

WHATWG - , , , , ...

ECMA -

WebIDL (or ) is another specification browser components need to interface with other components and we can see an example of how it works

HTML related standards
CSS
HTML
DOM
Fetch
URL
JavaScript standards
Web Interface Definition Language
here