Zon8 Research

We've collated a set of V8 Vulnerability PoCs from external researchers and ClusterFuzz. These may be useful for those researching V8, all in a single Git repo, easy to import into your fuzzing corpus. zon8.re/posts/v8-vulne…

Just Posted: A Three Part Deep Dive on JavaScriptCore's DFG. Perfect for those learning to exploit JIT bugs. zon8.re/posts/jsc-part… zon8.re/posts/jsc-part… zon8.re/posts/jsc-part…

To close out 2020, we bring you JavaScriptCore Internals Part 2, a guide on Llint and baseline JIT for exploit development. zon8.re/posts/jsc-inte… We wish all a Happy New Year. May 2021 bring you shells o' plenty. But above all the chance to reunite with friends ✌️

JavaScriptCore Internals Part 1 - Tracing Source to Bytecode: In this series we look at the areas of Webkit's JavaScript engine relevant for vulnerability research. zon8.re/posts/jsc-inte…

Want to learn how to break browsers and JavaScript engines? Watch these conference talks or read these articles to get up to speed with browser vulnerability research and exploitation. The JavaScript Engine Fuzzing and Exploitation Reading List. zon8.re/posts/javascri…

Self Isolated? Nothing to pwn? Why not take a look at our V8 & Chrome architecture reading list, tailored for security researchers looking to learn the internals of Chrome and V8. zon8.re/posts/v8-chrom…

Draft patch published for [JSC] Cage JIT pointers to the JIT region. Will this make JSC/WebKit exploitation harder? We'll see. Tracker: bugs.webkit.org/show_bug.cgi?i… Patch: bugs.webkit.org/attachment.cgi…

Exploiting an accidentally discovered V8/Chrome RCE zon8.re/posts/exploiti…

JSC / WebKit Architecture Reading List - For Vulnerability Researchers zon8.re/posts/jsc-arch…