# Environment setup for Browser Exploitation

The recommended stats are the following

* Ubuntu 22.04
* 16 GB of RAM
* CPU with 8 Cores

These should be enough to compile and run everything we need.

#### Building Browsers

Chrome and Safari are open source so we can download and build our own copies to debug without having to reverse engineer anything.

There are generally two build flavors: Release and Debug

* Debug
  * Binaries have all debug info and symbols and are larger in size because of that
  * Debug Asserts are present
  * Additional debugging tools are provided
* Release
  * Binaries are smaller in size
  * No Debug Asserts

{% hint style="warning" %}
Debug Asserts might block vulnerabilities and make it harder to write a functioning exploit.
{% endhint %}

#### Building Chrome

The Chromium source tree is about 30GB of code in debug build, generally it's recommended to have 40GB of free space just for source and an additional 20GB for the release build.

Here are some useful links

* Overall location: <https://chromium.googlesource.com>
* Src Tree: <https://chromium.googlesource.com/chromium/src.git>
* Github V8 Mirror: <https://github.com/v8/v8>
* DEPS file: <https://chromium.googlesource.com/chromium/src.git/+/refs/heads/master/DEPS>

These are not the complete code as Chromium pulls a rather large amount of components from other locations. If we have a running Chrome instance we can view its version by visiting `about:version`.

To pull the Chromium code we'll need to install the [Depot Tools](https://chromium.googlesource.com/chromium/tools/depot_tools.git) (30GB of space)

```bash
mkdir chromium && cd chromium && fetch --nohooks chromium # get the initial code
cd src && gclient sync # do whenever you checkout a different version
```

and install the dependencies

```bash
./build/install-build-deps.sh
gclient runhooks
```

Then we can generate the build file

```bash
gn gen out/Default
```

and chose the build variables

```bash
gn args out/Default
```

We can configure more of these options

```bash
is_debug=[true|false] # change the build type to debug or release
symbol_level=[0|1|2] # change how many symbols are included
blink_symbol_level=0 # include to remove blink symbols
```

If we only want to build Chrome we can run

```bash
ninja -C ./out/Default/ chrome
```

or if we just want a standalone V8 shell we can use the following

```bash
mkdir v8 && cd v8 && fetch --nohooks v8
gclient sync --with_branch_heads  # run anytime you change v8 version
cd v8 && ./build/install-build-deps.sh

# first time build
tools/dev/gm.py x64.release
# or 
tools/dev/gm.py x64.debug

# rebuilding
ninja -C ./out/x64.release d8

./out/x64.release/d8
```

#### Building WebKit

WebKit is much smaller in size so about 20GB of free space should be enough for the build.

WebKit is tracked with SVN instead of git: <https://trac.webkit.org/browser#webkit/branches> If targeting Safari, find branch version in about menu:

![](https://i.imgur.com/lHyuikp.png)

To download the code we could download it from SVN which is slow, or download the archive of the repository directly from [here](https://s3-us-west-2.amazonaws.com/archives.webkit.org/WebKit-SVN-source.tar.bz2); then we select the branch

```bash
tar xfv WebKit-SVN-source.tar.bz2 && cd webkit
svn switch https://svn.webkit.org/repository/webkit/branches/safari-<branch-here>
```

{% hint style="warning" %}
Safari branches sometimes have issues being built, so we will just use trunk
{% endhint %}

Safari is for macOS and it's not available on Linux and Safari branches don't support GTK so we can build WebKit for UNIX using MiniBrowser. First of all we'll install the dependencies

```bash
Tools/gtk/install-dependencies
Tools/Scripts/update-webkitgtk-libs
```

and start the build

```bash
# chose a mode
./Tools/Scripts/set-webkit-configuration --debug # for debug
./Tools/Scripts/set-webkit-configuration --release # for release

./Tools/Scripts/build-webkit --gtk --cmakeargs="-GNinja" --no-bubblewrap-sandbox MiniBrowser

# to run
Tools/Scripts/run-minibrowser --gtk
```

In order to build JavaScriptCore we'll use

```bash
./Tools/Scripts/set-webkit-configuration --debug # for debug
./Tools/Scripts/set-webkit-configuration --release # for release

Tools/Scripts/build-webkit --jsc-only --cmakeargs="-GNinja" jsc
./WebKitBuild/Release/bin/jsc
```

To run WebKit with ASAN (Address Sanitizer), which will try to detect corruption and UAFs, we will need

```bash
./Tools/Scripts/set-webkit-configuration --asan --debug
./Tools/Scripts/build-webkit --gtk --cmakeargs="-GNinja" MiniBrowser
```

*Unified Builds* combine source to speed up the compilation process, they're good for building but bad for debugging so we should disable JSC if needed keeping in mind that this will make the build process much slower

```
-DENABLE_UNIFIED_BUILDS=OFF
```

#### Code Browsing

* Chromium sourecode: <https://cs.chromium.org/chromium/>
* WebKit (JSC): <http://ret2-webkit-woboq.s3-website-us-east-1.amazonaws.com/jsc/jsc/>

#### Debugging the processes

To debug the browsers we need to find the right processes to attach to:

* Chrome: to start a Chrome process for debugging use the following flags

```
--no-sandbox --renderer-startup-dialog --disable-hang-monitor
```

When attaching a debugger like GDB to it we'll see

```
[10506:10506:0904/174115:2537132352130:ERROR:child_process.cc(131)]
Renderer (10506) paused waiting for debugger to attach. Send SIGUSR1 to unpause.
```

so to resume the process' execution we'll send the right signal and continue

```
gdb -p 10506
(gdb) signal SIGUSR1
(gdb) c
```

{% hint style="info" %}
Because of its size, fully debugging Chrome can be extremely slow; a way to get around that is to use `gdb-add-index` to cache debugging symbols or directly debugging the release build where symbols are completely missing.
{% endhint %}

* WebKit: WebKit processes are much easier to find in the output of a command like `ps fa`, in this case we want to attack to the first `WebKitWebProcess` entry on the list

There are also some GDB debugging scripts we can use that take advantage of some special debugging commands some JS engines use (in debug builds)

* [Chrome GDB helper code library](https://chromium.googlesource.com/chromium/src/+/master/docs/gdbinit.md)
* [WebKit GDB helper script](https://github.com/WebKit/webkit/tree/master/Tools/gdb)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://otter.gitbook.io/red-teaming/notes/binary-exploitation/environment-setup-for-browser-exploitation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.