The discussion flow would start from the importance of browsers, need for security within it, my research and vulnerabilities found, and finally demonstration of zero day, apart from other exploits and attacks, against browsers. The talk would conclude with a discussion around remediation efforts to protect against such attacks.
Over the years reliance on browsers has increased many folds. The features provided by browsers, along with its numerous extensions and components, browsers have seen a humongous increase in the number of users using it to browse different services. This provides a huge attack base to “research” and identify potential vulnerabilities which can be exploited in order to improve defensive controls.
The talk I will be presenting is entirely my own work of research. While identifying vulnerabilities in web applications and participate in various bug bounty programs is interesting, I enjoy targeting platforms which are less popular as research topics. Having said that, while security for browsers is a known topic, I’ve been able to identify, through my research, several vulnerabilities which will help secure it further.
The issues I will be talking about are completely within three specific domains – SOP, RCE and Address Bar Spoofing (ABS). These vulnerabilities, along with the attack scenarios are something which I’ve created through my research. As a case study I’ll discuss integer underflow vulnerability in firefox (NSS). I’ve also created, from scratch, an exploit code which can be used across several browsers for the same vulnerability. I will be showcasing multiple Metasploit module, I created during my research.