uxss-db 🔪

Star the repo, if it was useful for you ⭐️.

Any help is highly appreciated, 🙏 check TODO!

uxss-db 🔪

Inspired by js-vuln-db

For memory bugs, exploits and other: check awesome-browser-exploit

You can extract js-vuln-db CVEs to .html/.js files using Scripts

Intro

Some CVE ids were not found:

0-$$$$ - the issue with id $$$$ in google project zero tracker
cr-$$$$ - the issue with id $$$$ in Chromium tracker
some-bug - the vulnerability doesn’t have CVE or CVE is unknown

Version field has “?” symbol, if a version wasn’t attached to the report

NOTE: Many CVEs aren’t listed in the tables below!

Check /other folder = unsorted/unknown/duplicated CVEs and vulnerabilities for less popular browsers

Webkit

CVE/id	title	version	date
CVE-2017-7089	UXSS via `parent-tab://`	10?	Sep 20, 2017
CVE-2017-7037	UXSS via `JSObject::putInlineSlow` and `JSValue::putToPrimitive`	10?	Mar 10 2017
0-1197	WebKit: UXSS via `CachedFrameBase::restore`	10?	Mar 17 2017
CVE-2017-2528	UXSS: `CachedFrame` doesn’t detach openers	10?	Mar 10 2017
0-1163	UXSS via `Document::prepareForDestruction` and CachedFrame	10?	Mar 3 2017
CVE-2017-2510	UXSS: `enqueuePageshowEvent` and `enqueuePopstateEvent` don’t enqueue, but dispatch	10?	Feb 27 2017
CVE-2017-2508	UXSS via `ContainerNode::parserInsertBefore`	10?	Feb 24 2017
0-1134	UXSS via `ContainerNode::parserRemoveChild` (2)	10?	Feb 17 2017
0-1132	UXSS: the patch of #1110 made another bug	10	Feb 16 2017
CVE-2017-2504	UXSS via `Editor::execute`	10.0.3	Feb 16 2017
CVE-2017-2493	UXSS through `HTMLObjectElement::updateWidget`	10.0.3	Feb 9 2017
CVE-2017-2480	UXSS via a synchronous page load	10.0.3	Feb 9 2017
CVE-2017-2479	UXSS via a focus event and a link element	10.0.3	Feb 9 2017
CVE-2017-2475	UXSS via `ContainerNode::parserRemoveChild`	10.0.3	Feb 2 2017
CVE-2017-2468	Use-After-Free via `Document::adoptNode`	10.0.3	Jan 23 2017
0-1094	UXSS via `operationSpreadGeneric`	10.0.2	Jan 20 2017
0-1084	UXSS via `PrototypeMap::createEmptyStructure`	10.0.2	Jan 17 2017
CVE-2017-2445	UXSS via `disconnectSubframes`	10.0.2	Jan 9 2017
CVE-2017-2442	UXSS with `JSCallbackData`	10.0.2	Jan 3 2017
CVE-2017-2367	UXSS by accessing a named property from an unloaded window	10.0.2	Dec 23 2016
CVE-2017-2365	UXSS via `Frame::setDocument`	10.0.2	Dec 20 2016
CVE-2017-2364	UXSS via `Frame::setDocument` (1).	10.0.2	Dec 20 2016
CVE-2017-2363	UXSS via `FrameLoader::clear`	10.0.2	Dec 19 2016

Chromium

CVE/id	title	version	date
CVE-2018-6128	UXSS via URL parsing bug	66	May 9 2018
CVE-2017-5124	UXSS with MHTML	61	Oct 20 2017
cr-687844	`window.external` leaks global object + cross origin script access	57	Feb 2 2017
CVE-2017-5007	UXSS through bypassing `ScopedPageSuspender` with closing windows	55	Dec 5 2016
cr-656274	Cross-origin object leak via `fetch`	56 (canary)	Oct 15 2016
cr-594383	UXSS via `window.open()` via `file://` pages	54	Oct 15 2016
CVE-2016-5207	UXSS via fullscreen element updates	54	Oct 14 2016
CVE-2016-5204	UXSS by intercepting a UA shadow tree	52	Jul 24 2016
CVE-2016-1676	Persistent UXSS via `SchemaRegistry`	50	Apr 19 2016
CVE-2016-1667	UXSS through adopting image elements	50	Apr 21 2016
CVE-2016-1674	UXSS via the interception of `Binding` with `Object.prototype.create`	49	Mar 26 2016
CVE-2016-1673	UXSS using a `FrameNavigationDisabler` bypass	49	Mar 24 2016
cr-583445	UXSS in `DocumentLoader::createWriterFor`	48	Feb 2 2016
CVE-2016-1631	UXSS using Flash message loop	47	Dec 14 2015
CVE-2015-6770	UXSS using `document.adoptNode`	45	Oct 8 2015
CVE-2015-6769	UXSS via the `unload_event` module	45	Sep 22 2015
CVE-2015-6765	UXSS via `ContainerNode::parserInsertBefore`	44	Aug 11 2015
CVE-2015-1268	UXSS using IDBKeyRange static methods	43	May 31 2015
CVE-2014-1747	UXSS via local MHTML files	35	Dec 25 2013
CVE-2014-1701	UXSS via `dispatchEvent` on iframes	32	Feb 11 2014
CVE-2011-2856	Arbitrary cross-origin bypass using `__defineGetter__` prototype override	15	Aug 18 2011
CVE-2011-3243	Universal XSS using `contentWindow.eval`	12	May 24 2011
CVE-2011-1438	bypass SOP with `blob:`	11	Mar 2 2011
cr-74372	`chrome://blob-internals/` XSS	11	Feb 28 2011
cr-37383	`javascript:` url with a leading NULL byte can bypass cross origin protection.	?	Mar 4 2010

IE/Edge

CVE/id	version/date	reporter
CVE-2015-0072, alternative PoC

Articles

Whitepapers

Browser hacking guides and design docs

Firefox

7 Tips for Fuzzing Firefox More Effectively

Tor

Brave

Brave browser repo
Component Structure
Directory Structure
State - similar to Redux state concept, but just an ImmutableJS object
How to work with crashes

Chromium

Webkit

Electron

Specs

Bounties

Misc

NodeFuzz - web browser fuzzer
brave/Muon - Build browsers and browser like applications with HTML, CSS, and JavaScript (part of the Brave’s bug bounty)
https://ios.browsr-tests.com - list of SOP bypasses in iOS
https://github.com/rafaybaloch/SOP-Bypass-Mini-Test-Suite - list of SOP bypasses
ref_fuzz fuzzer - source code
javascript - Ways to circumvent the same-origin policy - Stack Overflow - document.domain, window.postMessage, CORS, reverse proxy( + jsonp)
Slides about cookie security - Cookie same origin policy
PortSwigger/hackability - “Devtools” for browser security. (useful for less known browsers)

Scripts

  # Export `js-vuln-db` repo CVEs to html
  bash ./scripts/js-vuln-db-to-format.sh html
  # Export `js-vuln-db` repo CVEs to js
  bash ./scripts/js-vuln-db-to-format.sh js

Author

Vladimir Metnew vladimirmetnew@gmail.com

LICENSE

MIT

TODO

Add these bugs: