2025-06-18 –, Main Stage
Modern web browsers are hardened and complex, yet remain high-value targets for attackers. While 0-day research dominates the headlines, building real-world, reliable exploits often involves chaining multiple vulnerabilities. Even when based on n-days, these exploit chains can offer a fast path to initial access during offensive engagements.
From patch diffing to modern mitigations bypass, this talk explores practical techniques for browser exploit development under real-world constraints. It introduces new methods and tools through the demonstration of an exploit chain leveraging three n-day vulnerabilities targeting recent versions of Google Chrome.
What does it take to exploit a modern browser in 2025?
In this session, we’ll dissect the creation of a real-world exploit chain targeting Google Chrome on Windows, using recently patched (n-day) vulnerabilities. This is a practical, technical session, aimed at showing how modern browser exploitation is still very much alive — and achievable with the right tools and approach.
Key topics covered include:
- Fundamentals of modern browser security and vulnerability research
- Patch diffing to turn Chrome updates and public issues into vulnerabilities
- Mitigations and sandboxes bypass
- Exploit chain development: from initial bug to payload execution
- New methods and tools for Chrome exploit development
- Live demo of an exploit chain based upon recent vulnerabilities
The session also explores the current state of browser security and its implications for future offensive and defensive research.
Arnaud (@Petitoto) is a French student with a long-standing interest in cybersecurity.
Currently interning at POST Luxembourg, he focuses on browser exploitation and vulnerability research from an offensive perspective.