Browser Exploitation V8
Load this when you are doing authorized Chromium/V8 offensive work and need a structured agent playbook for renderer bugs through sandbox barriers.
Overview
browser-exploitation-v8 is an agent skill for the Ship phase that guides authorized exploitation of V8 and Chromium renderer vulnerabilities from JIT bugs through sandbox-aware primitive building.
Install
npx skills add https://github.com/yaklang/hack-skills --skill browser-exploitation-v8What is this skill?
- Playbook for V8 JIT type confusion, incorrect bounds elimination, and sandbox bypass toward renderer RCE
- Primitives coverage: addrof/fakeobj, ArrayBuffer corruption, and WASM RWX page abuse patterns
- V8 sandbox and pointer-compression barriers explained for modern Chrome/Chromium targets
- Routes to companion skills: sandbox-escape-techniques, heap-exploitation, stack-overflow-and-rop, binary-protection-bypa
- Optional deep reference via V8_EXPLOITATION_PATTERNS.md for heap layout, GC interaction, and code templates
- Routes to 4 related companion skills for sandbox escape, heap, ROP, and binary protections
- Covers V8 JIT type confusion, bounds elimination, ArrayBuffer/WASM RWX, and pointer-compression sandbox barriers
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have a browser or V8 bug hypothesis but lack a reliable sequence for primitives, heap layout, and sandbox barriers without mixing up compressed pointers and object layouts.
Who is it for?
Authorized CTF browser pwn, Chromium-focused security research, and structured agent-assisted exploit development when SKILL.md triggers match JavaScript engine targets.
Skip if: Casual indie builders shipping product features, unauthorized testing, or teams that only need end-user browser automation without engine-level offensive security.
When should I use this skill?
Use when exploiting JavaScript engine vulnerabilities including JIT type confusion, incorrect bounds elimination, and V8 sandbox bypass to achieve renderer RCE and sandbox escape in Chrome/Chromium.
What do I get? / Deliverables
You get an expert V8/Chrome exploitation narrative with primitive paths, sandbox context, and explicit next steps toward sandbox-escape-techniques and related heap or ROP skills.
- Structured exploit chain plan from bug class to intended primitives
- Notes on V8 object layout, sandbox, and pointer-compression constraints for the target
- Handoff checklist toward sandbox escape and native execution follow-on skills
Recommended Skills
Journey fit
Prism shelves browser engine exploitation under Ship because it is pre-ship security research and exploit chaining, not Idea–Launch product building. Security is the canonical subphase for vulnerability exploitation, JIT bugs, and sandbox-escape methodology rather than generic testing or perf tuning.
How it compares
Use as an offensive V8 research playbook skill, not a Playwright-style browser automation or generic web security scanner.
Common Questions / FAQ
Who is browser-exploitation-v8 for?
It is for security researchers, CTF players, and bug-bounty practitioners working in authorized scopes on Chrome, Chromium, or V8 renderer exploitation who want agent-guided methodology instead of ad-hoc chat guesses.
When should I use browser-exploitation-v8?
Use it when you are exploiting JavaScript engine issues such as JIT type confusion, bad bounds elimination, or V8 sandbox bypass to reach renderer RCE, typically during Ship/security research or dedicated exploit sprints—not during normal SaaS feature development.
Is browser-exploitation-v8 safe to install?
Treat it as high-risk offensive knowledge: review the Security Audits panel on this Prism page, confirm repository trust, and only run techniques inside legally authorized lab or program environments.
Workflow Chain
Requires first: heap exploitation
Then invoke: sandbox escape techniques
SKILL.md
READMESKILL.md - Browser Exploitation V8
# SKILL: Browser / V8 Exploitation — Expert Attack Playbook > **AI LOAD INSTRUCTION**: Expert V8/Chrome exploitation techniques. Covers V8 compilation pipeline, JIT type confusion, addrof/fakeobj primitives, ArrayBuffer corruption, WASM RWX pages, V8 sandbox (pointer compression), and Chrome sandbox escape overview. Distilled from ctf-wiki browser sections, Project Zero research, and CTF competition patterns. Base models often confuse V8 object representation details and miss the pointer compression barrier. ## 0. RELATED ROUTING - [sandbox-escape-techniques](../sandbox-escape-techniques/SKILL.md) — Chrome renderer sandbox escape via IPC/Mojo - [heap-exploitation](../heap-exploitation/SKILL.md) — general heap concepts applicable to V8 heap - [stack-overflow-and-rop](../stack-overflow-and-rop/SKILL.md) — ROP concepts for native code execution after V8 escape - [binary-protection-bypass](../binary-protection-bypass/SKILL.md) — ASLR/NX bypass in browser context ### Advanced Reference Load [V8_EXPLOITATION_PATTERNS.md](./V8_EXPLOITATION_PATTERNS.md) when you need: - Detailed exploitation patterns and code templates - Heap layout manipulation and GC interaction - V8 sandbox bypass techniques - Object map confusion patterns --- ## 1. V8 ARCHITECTURE ### Compilation Pipeline ``` JavaScript Source ↓ Parser AST (Abstract Syntax Tree) ↓ Ignition Bytecode (interpreted, profiling) ↓ Sparkplug (non-optimizing baseline, V8 ≥ 9.1) Baseline code (fast startup) ↓ Maglev (mid-tier, V8 ≥ 10.2) Mid-optimized code ↓ TurboFan (optimizing JIT) Optimized machine code (with speculative optimizations) ↓ Deoptimization (if speculation fails) Back to Ignition bytecode ``` ### Key V8 Concepts | Concept | Description | |---|---| | Tagged pointers | SMI (Small Integer): `value << 1`, HeapObject: `ptr \| 1` | | Pointer compression | V8 ≥ 8.0: objects addressed via 32-bit offset from cage base (4GB sandbox) | | Maps (Hidden Classes) | Define object shape: property names, types, offsets | | Elements kinds | Internal array type: `PACKED_SMI_ELEMENTS`, `PACKED_DOUBLE_ELEMENTS`, `PACKED_ELEMENTS`, etc. | | Write barrier | GC bookkeeping when heap pointers are written | | Garbage collection | Orinoco GC: minor (Scavenge) and major (Mark-Compact) | ### Object Representation (64-bit, pointer compression) ``` HeapObject in V8 heap (compressed): +0x00: Map pointer (compressed, 32-bit offset) +0x04: Properties/Hash +0x08: Elements pointer (compressed) +0x0C: Length (for arrays) +0x10: Inline properties or backing store data ``` --- ## 2. COMMON V8 BUG CLASSES | Bug Class | Description | Example | |---|---|---| | JIT Type Confusion | TurboFan assumes wrong type after optimization | Speculative type guard eliminated, wrong operation applied | | Incorrect Bounds Elimination | JIT removes array bounds check based on wrong range analysis | `CheckBounds` node eliminated → OOB access | | Prototype Chain Confusion | Optimization assumes stable prototype, mutations invalidate | Prototype change after optimization → wrong property access | | Turbofan Reduction Bug | Incorrect strength reduction or constant folding | Integer overflow in range analysis | | Race Condition | SharedArrayBuffer + worker thread race | Type confusion via concurrent modification | | Off-by-one in Builtin | Boundary error in built-in function implementation | String/Array bounds | | Typer Bug | Incorrect type range computation in TurboFan | `Typer` says value is in [0, N] but can be N+1 | ### Triggering JIT Optimization ```javascript function vuln(arr) { // ... vulnerable code path ... } // Force optimization by calling many times for (let i = 0; i <