Web browsers are among the most widely used and essential software globally. With millions of lines of code, they manage, sanitize, and interpret various types of untrusted web data. Given the complexity of these systems, which involve compilers, interpreters, and parsing libraries, it is inevitable that developers will introduce bugs.
This training will focus on applying various fuzzing techniques to uncover critical vulnerabilities in different web browser implementations.
The course will start by providing you with the necessary background to understand modern web browser architecture and key components. You will then explore a straightforward testing environment designed for replaying, debugging, minimizing, and analyzing existing issues, CVEs, and PoCs. Through dedicated modules, you will learn to fuzz essential browser components like the DOM, JavaScript engines, JIT compilers, WebAssembly, and IPC. You will gain experience using well-known tools (such as Honggfuzz, Domato, Dharma, Fuzzilli, Afl++) and creating custom fuzzers to apply various techniques (coverage-guided, grammar-based, in-process fuzzing) to rediscover known vulnerabilities and potentially identify new ones.
This hands-on training focuses on real-world use cases and applies to Google Chrome, Firefox, and WebKit/JSC, ensuring you gain practical expertise.
Patrick Ventuzelo is a senior security researcher, CEO & founder of Fuzzinglabs. After working for the French Ministry of Defense, he specialized in fuzzing, vulnerability research, and reverse engineering. Over the years, Patrick has created multiple fuzzers, found hundreds of bugs, and published various blog posts/videos/tools on topics like Rust, Go, Blockchain, WebAssembly, and Browser security. Patrick is a regular speaker and trainer at various security conferences around the globe, including BlackHat USA, OffensiveCon, REcon, RingZer0, PoC, ToorCon, hack.lu, NorthSec, SSTIC, and others.
Tanguy Duhamel is the Lead Developer on FuzzingLabs' distributed fuzzing platform, collaborating with Patrick Ventuzelo on code auditing, fuzzer development, and security research. His research focuses on advancing distributed fuzzing techniques to improve software security, with a strong foundation in Rust for building high-performance tools.