参考资料
==================================================

参考文献
--------------------------------------------------
1. ``IEEE 2016`` ``Black Box`` Lin Y D, Liao F Z, Huang S K, et al. Browser fuzzing by scheduled mutation and generation of document object models[C]// International Carnahan Conference on Security Technology. IEEE, 2016:1-6. 

2. ``IEEE 2012`` ``White Box`` Huang S K, Huang M H, Huang P Y, et al. CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations[C]// IEEE Sixth International Conference on Software Security and Reliability. IEEE, 2012:78-87.

3. ``Usenix 2014`` ``Seed Generation`` Rebert A, Sang K C, Grieco G, et al. Optimizing seed selection for fuzzing[C]// Usenix Conference on Security Symposium. USENIX Association, 2014:861-875.

4. ``ACM 2013`` ``Black Box`` Woo M, Sang K C, Gottlieb S, et al. Scheduling black-box mutational fuzzing[C]// ACM Sigsac Conference on Computer & Communications Security. ACM, 2013:511-522.

5. 钱文祥. 白帽子讲浏览器安全[M]. 电子工业出版社, 2016.

6. ``ACM 2013`` Paige M. The tangled web: a guide to securing modern web applications by Michal Zalewski[M]. ACM, 2013.

7. ``IEEE 2013`` ``Black Box`` Guo T, Zhang P, Wang X, et al. GramFuzz: Fuzzing testing of web browsers based on grammar analysis and structural mutation[C]// Second International Conference on Informatics and Applications. IEEE, 2013:212-215.

8. ``ACM 2013`` ``White Box`` Avgerinos T, Sang K C, Rebert A, et al. Automatic exploit generation[J]. Communications of the Acm, 2014, 57(2):74-84.

9. ``IEEE 2010`` ``Symbolic Execution`` Schwartz E J, Avgerinos T, Brumley D. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask)[C]// Security and Privacy. IEEE, 2010:317-331.

10. ``ACM 2013`` ``Symbolic Execution`` Cadar C, Sen K. Symbolic execution for software testing: three decades later[J]. Communications of the Acm, 2013, 56(2):82-90.

11. ``Fuzz PNG`` Miller C, Peterson Z N J. Analysis of mutation and generation-based fuzzing[J]. Independent Security Evaluators, Tech. Rep, 2007.

12. ``IEEE 2005`` Oehlert P. Violating Assumptions with Fuzzing[J]. IEEE Security & Privacy, 2005, 3(2):58-62.

13. ``Usenix 2012`` Holler C, Herzig K, Zeller A. Fuzzing with Code Fragments[J]. Proc Usenix Security, 2012:445--458.

14. ``IEEE CCIS2012`` ``Fuzz BMP`` Hou Y, Tao G, Shi Z, et al. Research on Android browser fuzzing based on bitmap structure[M]. 2013.

15. ``ACM 2017`` Guo R. MongoDB's JavaScript Fuzzer[M]. ACM, 2017.

16. ``Usenix 2018`` Yun I, Lee S, Xu M, et al. QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing[C]//27th USENIX Security Symposium (USENIX Security 18). USENIX Association, 2018.

工具
--------------------------------------------------
1. `zuff fuzzer <http://caca.zoy.org/wiki/zzuf>`_

2. `CERT Basic Fuzzing <https://insights.sei.cmu.edu/cert/2010/05/cert-basic-fuzzing-framework.html>`_

3. `CERT Failure Observation Engine <http://www.cert.org/vulnerability-analysis/tools/foe.cfm>`_

4. `bf3 <https://www.aldeid.com/wiki/Bf3>`_

5. `Grinder <https://github.com/stephenfewer/grinder>`_

6. `axman <https://github.com/hdm/axman>`_

7. `exploitable <https://msecdbg.codeplex.com/>`_

8. `jsfunfuzz <https://github.com/MozillaSecurity/funfuzz>`_

9. `metasm <https://github.com/jjyg/metasm/>`_

10. `web platform tests <https://github.com/w3c/web-platform-tests>`_

11. `oss fuzz <https://github.com/google/oss-fuzz>`_

12. `Domato <https://github.com/googleprojectzero/domato>`_

13. `mitigationview <https://github.com/fishstiqz/mitigationview>`_

14. `sandbox attacksurface analysis tools <https://github.com/google/sandbox-attacksurface-analysis-tools>`_

15. `NodeFuzz <https://github.com/attekett/NodeFuzz>`_

16. `wadi <https://github.com/sensepost/wadi>`_

17. `Angora <https://github.com/AngoraFuzzer/Angora>`_

18. `afl <http://lcamtuf.coredump.cx/afl/>`_

19. `neuzz <https://github.com/Dongdongshe/neuzz>`_

Blog or Talks
--------------------------------------------------
1. `浏览器fuzz工具 <http://www.freebuf.com/sectool/93130.html>`_

2. `浏览器fuzz框架 <http://blog.nsfocus.net/web-browser-fuzzing/>`_

3. `nduja <http://www.freebuf.com/articles/web/105510.html>`_

4. `Morph <http://www.freebuf.com/sectool/89001.html>`_

5. `R Valotta <https://sites.google.com/site/tentacoloviola/>`_

6. `符号执行入门 <https://zhuanlan.zhihu.com/p/26927127>`_

7. `blueclosure blog <http://blog.blueclosure.com/>`_

8. `MongoDBs fuzzer <https://engineering.mongodb.com/post/mongodbs-javascript-fuzzer-creating-chaos>`_

9. `JavaScript engine fundamentals optimizing prototypes <https://mathiasbynens.be/notes/prototypes>`_

10. `深入理解Webkit <http://www.starming.com/2017/10/11/deeply-analyse-webkit/>`_

11. `Timeline of Web Browsers <https://en.wikipedia.org/wiki/Timeline_of_web_browsers>`_

12. `Browser UI Security <https://xlab.tencent.com/cn/2017/10/16/browser-ui-security-whitepaper/>`_

13. `life of a pixel <http://bit.ly/lifeofapixel>`_

14. `Inline Caching in JavaScriptCore <http://www.filpizlo.com/slides/pizlo-icooolps2018-inline-caches-slides.pdf>`_

15. `webidl <https://heycam.github.io/webidl/>`_

16. `The Great DOM Fuzz-off of 2017 <https://googleprojectzero.blogspot.com/2017/09/the-great-dom-fuzz-off-of-2017.html>`_

17. `Finding and Exploiting Safari Bugs using Publicly Available Tools <https://googleprojectzero.blogspot.com/2018/10/365-days-later-finding-and-exploiting.html>`_

18. `wabt <https://github.com/WebAssembly/wabt>`_

19. `ecma262 <https://github.com/tc39/ecma262>`_

20. `strengthening microsoft edge sandbox <https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/>`_

21. `breaking the local browser sandbox <https://authentic8.blog/breaking-the-local-browser-sandbox-1/>`_

22. `Forshaw Digging For IE11 Sandbox Escapes <https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf>`_

23. `digging into turbofan jit <https://v8project.blogspot.de/2015/07/digging-into-turbofan-jit.html>`_

24. `liftoff <https://v8project.blogspot.com/2018/08/liftoff.html>`_

25. `fuzzing binaries without execve <https://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html>`_

26. `fuzzingbook <https://www.fuzzingbook.org/>`_

漏洞相关
--------------------------------------------------
1. `js-vuln <https://github.com/tunz/js-vuln-db>`_

2. `cve-2018-4192 and cve-2018-4262 <https://github.com/wzw19890321/Exploits>`_

3. `cve-2016-0189 <https://github.com/theori-io/cve-2016-0189>`_

4. `CVE-2018-4121 Safari Wasm Exploit <https://github.com/mwrlabs/CVE-2018-4121>`_

5. `Enforcement of Bounds Checks in Native JIT Code <https://www.zerodayinitiative.com/blog/2017/10/5/check-it-out-enforcement-of-bounds-checks-in-native-jit-code>`_

6. `The Advanced Exploitation of 64-bit Edge Browser Use-After-Free Vulnerability on Windows 10 <https://github.com/mrowensnobody/presentation/blob/master/The%20Advanced%20Exploitation%20of%2064-bit%20Edge%20Browser%20Use-After-Free%20Vulnerability%20on%20Windows%2010.pdf>`_

7. `From Assembly to JavaScript and Back <https://gsec.hitb.org/materials/sg2018/D1%20-%20Turning%20Memory%20Errors%20into%20Code%20Execution%20with%20Client-Side%20Compilers%20-%20Robert%20Gawlik.pdf>`_

8. `awesome browser exploit <https://github.com/Escapingbug/awesome-browser-exploit>`_

9. `pwnjs <https://github.com/theori-io/pwnjs>`_

10. `Write-up for CVE-2018-8495 <https://leucosite.com/Microsoft-Edge-RCE/>`_

11. `blackhat us 18 attacking client side jit compilers <https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf>`_

12. `WebExtension security Part1 <https://leucosite.com/WebExtension-Security/>`_

13. `cve-2018-8629 <https://github.com/phoenhex/files/blob/master/pocs/cve-2018-8629-chakra.js>`_

14. `Introduction to SpiderMonkey exploitation <https://doar-e.github.io/blog/2018/11/19/introduction-to-spidermonkey-exploitation/>`_

15. `webkit bugmap <https://bugmap.gitlab.io/webkit/>`_

规范 / 手册
--------------------------------------------------
1. `wc3规范 <https://www.w3.org/standards/>`_

2. `whatwg <https://html.spec.whatwg.org/>`_

3. `MDN <https://developer.mozilla.org>`_

4. `Mozilla Source Tree Documentation <https://firefox-source-docs.mozilla.org/>`_

5. `HTML Standard by whatwg <https://github.com/whatwg/html>`_

6. `V8 Documentation <https://v8.dev/docs>`_

7. `chromium documents <https://chromium.googlesource.com/chromium/src/+/master/docs/>`_

8. `chromium design documents <https://www.chromium.org/developers/design-documents>`_

9. `V8 Ignition online doc <https://docs.google.com/document/d/11T2CRex9hXxoJwbYqVQ32yIPMh0uouUZLdyrtmMoL44/edit?ts=56f27d9d#heading=h.6jz9dj3bnr8t>`_

10. `SpiderMonkey <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey>`_