Practical Web Browser Fuzzing


Instructors: Patrick Ventuzelo
Dates: May 30-June 2 2022
Location:  Hilton Double Tree
Capacity: 20 Seats


Web Browsers are one of the most used and critical software in the world. Using millions of lines of code, they are in charge of handling, sanitizing, and interpreting all kinds of (untrusted) data coming from the web. To be honest, Itís just impossible for developers to write such complex pieces of software (involving compilers, interpreters, and parsing libraries) without introducing any bugs.

 

As shown in the last years, Fuzz testing is by far the most efficient and scalable testing technique to find software bugs. In this training, we will apply fuzzing to find critical vulnerabilities in different web browser implementations.

 

First, this course will give you all the prerequisites to understand the architecture and major components of modern web browsers. Then, you will create and set up a testing environment allowing you to easily replay, debug, minimize and analyze existing issues, CVEs, and PoCs. Over dedicated modules, you will discover and fuzz the main browser components such as DOM, JS engines, JIT compilers, WebAssembly, IPC. You will learn how to use famous tools (Domato, Dharma, Fuzzilli, Frida) and create your custom fuzzers to apply different fuzzing techniques (coverage-guided, grammar-based, in-process fuzzing) to find vulnerabilities/bugs.

 

A lot of hands-on exercises will allow you to internalize concepts and techniques taught in class. This course will mainly focus on Google Chrome, Firefox, and WebKit/JSC. 


 


KEY LEARNING OBJECTIVES

WHO SHOULD ATTEND

COURSE TOPICS

MODULE 1:INTRODUCTION TO BROWSER FUZZING



MODULE 2: FUZZING DOM & RENDERING ENGINES 


MODULE 3: FUZZING JAVASCRIPT ENGINES & JIT COMPILERS 


MODULE 4: FUZZING WEBASSEMBLY COMPILERS & APIs


MODULE 5: FUZZING IPC AND OTHER COMPONENTS


 


Class Requirements

Prerequisites:


Familiarity with scripting (Python, Bash) and Linux 

Familiarity with C/C++ and JavaScript

SKILL LEVEL: BEGINNER / INTERMEDIATE


 

 


LAPTOP REQUIREMENTS 


A working laptop capable of running virtual machines

8GB RAM required, at a minimum 

80 GB free Hard disk space 

VirtualBox

Administrator/root access MANDATORY


Bio

Patrick Ventuzelo is a senior security researcher and the founder of Fuzzinglabs. After working for the French Ministry of Defense, he specialized in fuzzing, vulnerability research, and reverse engineering. Over the years, Patrick has found hundreds of bugs and published various blog posts/videos/tools on topics like Rust, Go, Blockchain, WebAssembly, and Browser security. Patrick is a regular speaker and trainer at various security conferences around the globe, including HITB, REcon, RingZer0, ToorCon, hack.lu, NorthSec, SSTIC, and others.


To Register

Click here to register.