I got very interested in browser exploitation, particularly in memory corruptions like UAF or type confusion vulnerabilities. Started learning some things, but can't understand some concepts.
First, I know tat fuzzing is one of the methods to find the bugs. Not sure how fuzzing can find those complex vulnerabilties.
Second, want to find out whether it is possible to find uaf bugs manually.
Third, can you please explain how uaf bugs occur in browsers in detailed manner? I know that uaf bug happens when freed memory is reused by code, and when attacker controlled data is placed in the freed memory, you get the code execution. But I can't understand how people generate all those HTML or POC codes to crash the software using the UAF bugs.
Fourth, what are type confusion vulnerabilties?
For web browsers :
1> fuzzing is the efficient way to find bugs, but using an existing fuzzer, in most of cases lead to finding existing vulnerabilities (already reported to editors). In all times, after finding a bug, a manual work is needed to clean up the poc code
2> Spend time to make better your fuzzing strategy and generate a use cases (focus in allocation memory, feeing memory, copying references...) is the best manually work you can do to find a UAF Vuln.
3> you can find severals tutorial about the UAF on internet.
Good luck