- How Browsers Work: Behind the scenes of modern web browsers
- Inside look at modern web browser (part 1)
- Inside look at modern web browser (part 2)
- Inside look at modern web browser (part 3)
- Inside look at modern web browser (part 4)
- Document Object Model (DOM)
- Understanding Web Security Checks in Firefox (Part 1)
- Understanding Web Security Checks in Firefox (Part 2)
- Towards native security defenses for the web ecosystem
- javascript.info
- javascript.info (video playlist)
- The Same-Origin Policy Gone Wild
- From SVG and back, yet another mutation XSS via namespace confusion for DOMPurify < 2.2.2 bypass
- Securitum Research
- The Hacker Blog
- Jorge Lajara's posts on XSS
- The Great DOM Fuzz-off of 2017
- JavaScript Engine Fuzzing and Exploitation Reading List
- V8 / Chrome Architecture Reading List - For Vulnerability Researchers
- WebKit & JSC Architecture Reading List - For Vulnerability Researchers
- Case Study of JavaScript Engine Vulnerabilities
- Broken Browser
- uxss-db
- awesome-browser-exploit
- Attacking JavaScript Engines - A case study of JavaScriptCore and CVE-2016-4622
- A Methodical Approach to Browser Exploitation
- Fuzzing JavaScript Engines with Fuzzilli
- Browser-Pwn - An updated collection of resources targeting browser-exploitation
- Hardening Firefox against Injection Attacks
- Hardening Firefox against Injection Attacks – The Technical Details
- Help Test Firefox’s built-in HTML Sanitizer to protect against UXSS bugs
- Chromium Disclosed Security Bugs
- Edge Vulnerability Research
- SBX Intro
- EXPLOITING URL PARSING CONFUSION
- EXPLOITING URL PARSERS: THE GOOD, BAD, AND INCONSISTENT
- Circumventing Browser Security Mechanisms For SSRF
- Demystifying Browsers
- Awesome Vulnerability Research
- Notes on Browser Exploitation (v8)
- Attacking JavaScript Engines in 2022
- Attacking JavaScript Engines - A case study of JavaScriptCore and CVE-2016-4622
- Exploiting Logic Bugs in JavaScript JIT Engines
- V8 / Chrome Architecture Reading List - For Vulnerability Researchers
- JavaScript Engine Fuzzing and Exploitation Reading List
- Top 4 Books to learn Web Browser Security in 2022
- Introduction to Browser Fuzzing
- Practical Web Browser Fuzzing
- WTF is Browser Hacking
- Introduction to Browser Fuzzing
- Browser fuzzing at Mozilla
- Fuzzing JavaScript Engines with Aspect-preserving Mutation
- https://github.com/seal9055/resources#browser-exploitation
- awesome-browser-exploit
- Diary of a reverse engineer
- Smashing The Browser: From Vulnerability Discovery To Exploit
- https://bufferoverflows.net/
- V8 Bug Hunting Part 1: Setting up the debug environment
- SpiderMonkey Research - 0x01 - Setup & Debug
- SOK: On the Analysis of Web Browser Security
- Towards native security defenses for the web ecosystem
- The Security Architecture of the Chromium Browser
- Content-Type Research
- Deep Dive into Site Isolation (Part 1)
- js-vuln-db -A collection of JavaScript engine CVEs with PoCs
- uxss-db - Browser logic vulnerabilities
- V8 Vulnerabilities
- Awesome Advanced Windows Browser Exploitation References
- Awesome browser security
- Browser Exploitation
- The Tangled Web – A Guide to Securing Modern Web Applications
- The Browser Hacker's Handbook
- Idiosyncrasies of the HTML parser
- X41’s Browser Security White Paper (alternate link)
- Cure53’s Browser Security White Paper (alternate link)
- Securing Web Apps with Modern Platform Features (Google I/O ’19)
- 35C3 - The Layman's Guide to Zero-Day Engineering
- 35C3 - From Zero to Zero Day
- Browser Exploitation for Fun and Profit
- Breaking Microsoft Edge extensions security policies
- Reversing Client Side JavaScript Using the Chrome Dev Tools Protocol
- LiveOverflow Browser Exploitation
- LiveDOM++ - Tool to compare various HTML parsers in browsers
- Domato - A DOM fuzzer
- BeEF - The Browser Exploitation Framework
- DOMPurify
- HTML Sanitizer API
- FreeDom - A DOM fuzzer
- Making of: The Sanitizer API
- Turbolizer
- ClusterFuzz - Scalable fuzzing infrastructure
- Parisa Tabriz
- Zon8 Research
- phoenhex team
- Luan Herrera
- Abdulrhman Alqabandi
- Frederik Braun
- Jun Kokatsu
- Mozilla Attack and Defense
- Chromium Disclosed Security Bugs
- Ivan Fratric
- Eduardo Vela
- koto
- LiveOverflow
- Masato Kinugawa
- Dhiraj Mishra
- Nikhil Mittal
- Johnathan Norman
- Alison Huffman
- Manuel Caballero
- tunz
- RET2 Systems
- Christoph Diehl
- Samuel Groß
- Jonathan Jacobi
- Norbert Szetei
- Michał Bentkowski
- Michele Spagnuolo
- Ben Stock
- Marius Steffens
- itszn
- Connor McGarr
- Simon Pieters
- Adam Barth
- Jeremy Fetiveau
- Patrick Ventuzelo
- doar-e
- Axel Souchet
- Jonathan Salwan
- Jeremy Fetiveau
- yrp
- Michael Zhang
- Daniel Lim
Twitter List: client-side-yodas - List of people specialized in client-side attacks