[chrisrohlf]

I used to teach a training on the subject (all the course material is now free at https://github.com/struct/mms). I had a section on ‘where to look’ for vulnerabilities. I started this section off with a scenario: “You’ve checked out the Chrome tree. Where do you start? OK you want to find Javascript interpreter bugs. Whats the first piece of code in Chrome that sees untrusted Javascript?”. Its a trick question. The answer of course is the networking code or the TLS decryption code. But you’ve never go looking there for Javascript interpreter vulnerabilities. The pt of the thought exercise is to introduce the concept of manual taint analysis. Basically understanding how to analyze what code paths and data structures your untrusted inputs could influence or control and then go from there.