└── README.md /README.md: -------------------------------------------------------------------------------- 1 | Browser-Pwn 2 | === 3 | 4 | The world of Browsers is dominated by 4 major players: 5 | * Chromium/Chrome (Blink-Engine) 6 | * Firefox (Gecko-Engine) 7 | * Safari (WebKit-Engine) 8 | * Edge (Blink-Engine (former EdgeHTML-Engine) 9 | 10 | The following is split into two parts: 11 | - Information that helps to understand their architecture and implementation and how to build them from sources 12 | - Information that helps finding their calculator popping feature 13 | 14 | 15 | # Table of Contents 16 | 17 | 1. Engines 18 | * [Overview](#engine-overview) 19 | * [Chromium](#chromium-blink) 20 | * [Firefox](#firefox-gecko) 21 | * [Safari](#safari-webkit) 22 | * [Edge](#edge-blinkedgehtml) 23 | 2. Exploitation 24 | * [Overview](#exploitation-overview) 25 | * [Chromium](#chromium-pwn) 26 | * [Firefox](#firefox-pwn) 27 | * [Safari](#safari-pwn) 28 | * [Edge](#edge-pwn) 29 | 3. [Tools](#tools) 30 | 4. [JavaScript Docs](#javascript-ecmascript-docs) 31 | 32 | 33 | 34 | 35 | 36 | # Engines 37 | 38 | ## Engine-Overview 39 | * [Javascript Engine Fundamentals: the good, the bad, and the ugly](https://slidr.io/bmeurer/javascript-engine-fundamentals-the-good-the-bad-and-the-ugly) 40 | * [Javascript Engine Fundamentals: Shapes and Inline Caches](https://mathiasbynens.be/notes/shapes-ics) 41 | * [JavaScript Engines - how do they even (Video)](https://www.youtube.com/watch?v=p-iiEDtpy6I) 42 | 43 | ### Browse the Sources 44 | Of course you can use you're own favorite setup to browse the sources. 45 | However, those repos are relatively large and I tried a couple different setups until I found something that worked for me. 46 | So if you don't have good setup already, here are a couple of my experiences that might help you: 47 | * [CTags](https://chromium.googlesource.com/chromium/src/+/master/docs/linux_eclipse_dev.md) (+Vim): Works well with following references and calls. If you're used to navigate through large source-trees with this puristic setup, it can be a good option for you. 48 | The downside being of course the lack of the features most of the big IDEs come with nowadays. 49 | * [CLion](https://www.jetbrains.com/clion/): I use JetBrain products for a lot of my coding activities, but CLion didn't work well for me, especially following references. Of course this might be due to setup issues. 50 | * [Eclipse](https://www.eclipse.org/): I haven't used it in a while, but this turned out to be a good option. Unfortunately, it takes a lot of resources for the indexer to run through the code. 51 | * [Here](https://chromium.googlesource.com/chromium/src/+/master/docs/linux_eclipse_dev.md) is a setup description for the Chromium-Project, but it works similarly for the other projects as well. 52 | * [ccls](https://github.com/MaskRay/ccls)+[VSCode](https://code.visualstudio.com/) This is the best option for me so far. ccls is very fast with indexing the repos and works great with VSCode. You can also combine it with other editors and IDEs see https://github.com/MaskRay/ccls/wiki/Editor-Configuration 53 | 54 | ## Chromium (Blink) 55 | 56 | [Project](https://www.chromium.org/blink) | 57 | [GitHub](https://github.com/chromium/chromium) 58 | 59 | Articles: 60 | * [What is Chromium? (DE)](https://www.heise.de/newsticker/meldung/Chrome-und-Chromium-Was-sind-eigentlich-die-Unterschiede-4245456.html) 61 | 62 | The JavaScript-Engine of Blink is V8. 63 | 64 | ### V8 65 | 66 | [Project](https://v8.dev/) | 67 | [GitHub](https://github.com/v8/v8) | 68 | [Source](https://cs.chromium.org/chromium/src/v8/src/) | 69 | [How2Build](https://v8.dev/docs/build) 70 | 71 | 72 | Build (Ubuntu 18.04): 73 | 74 | ``` 75 | $ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git 76 | $ export PATH=$PATH:./depot_tools 77 | $ gclient 78 | $ mkdir ./v8 && cd ./v8 79 | $ fetch v8 && cd v8 80 | $ git pull 81 | $ gclient sync 82 | $ ./build/install-build-deps.sh 83 | $ tools/dev/gm.py x64.release 84 | $ out/x64.release/d8 85 | ``` 86 | 87 | Useful flags: 88 | 89 | * `--print-opt-code`: code generated by optimizing compiler 90 | * `--print-byte-code`: bytecode generated by interpreter 91 | * `--trace-ic`: different object types a call site encouters 92 | * `--trace-opt` and `--trace-deopt`: which functions are (de)optimized 93 | * `--trace-turbo`: TurboFan traces for the Turbolizer visualization 94 | 95 | Articles: 96 | * [A tour of V8](http://www.jayconrod.com/posts/51/a-tour-of-v8--full-compiler) 97 | 98 | #### JIT-Compiler: TurboFan 99 | 100 | [Docs](https://v8.dev/docs/turbofan) | 101 | [Blog](https://v8.dev/blog/turbofan-jit) 102 | 103 | V8 provides a visualization for TurboFan called [Turbolizer](https://github.com/v8/v8/tree/master/tools/turbolizer) 104 | 105 | Articles: 106 | 107 | * [Introduction to TurboFan](https://doar-e.github.io/blog/2019/01/28/introduction-to-turbofan/) 108 | 109 | ##### Turbolizer usage: 110 | 1. Run v8 with `--trace-turbo`: `d8 --trace-turbo foo.js` 111 | 2. Generates json files e.g. `turbo-foo-0.json` 112 | 3. Goto `v8/tools/turbolizer` and install with npm as described in `README.md` 113 | 4. Serve directory e.g. `python -m SimpleHTTPServer 8000` 114 | 5. Browse to `localhost:8000` and open `turbo-foo-0.json` 115 | 116 | 117 | 118 | ## Firefox (Gecko) 119 | 120 | [Project](https://developer.mozilla.org/en-US/docs/Mozilla/Gecko) | 121 | [GitHub](https://github.com/mozilla/gecko-dev) 122 | 123 | 124 | The JavaScript-Engine of Gecko is Spidermonkey. 125 | 126 | ### Spidermonkey 127 | 128 | [Project](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey) | 129 | [Source](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Getting_SpiderMonkey_source_code) | 130 | [How2Build](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Build_Documentation) 131 | 132 | ##### Source 133 | * [builtin](https://github.com/mozilla/gecko-dev/tree/master/js/src/builtin) 134 | 135 | 136 | Build (Ubuntu 18.04): 137 | 138 | ``` 139 | $ wget -O bootstrap.py https://hg.mozilla.org/mozilla-central/raw-file/default/python/mozboot/bin/bootstrap.py && python bootstrap.py 140 | $ git clone https://github.com/mozilla/gecko-dev.git && cd gecko-dev 141 | $ cd js/src 142 | $ autoconf2.13 143 | 144 | # This name should end with "_DBG.OBJ" to make the version control system ignore it. 145 | $ mkdir build_DBG.OBJ 146 | $ cd build_DBG.OBJ 147 | $ ../configure --enable-debug --disable-optimize 148 | # Use "mozmake" on Windows 149 | $ make -j 6 150 | $ js/src/js 151 | ``` 152 | 153 | 154 | #### JIT-Compiler: IonMonkey 155 | 156 | [Project](https://wiki.mozilla.org/IonMonkey) 157 | 158 | Spidermonkey provides a visualization for IonMonkey called [IonGraph](https://github.com/sstangl/iongraph) 159 | 160 | ##### Source 161 | * [jit](https://github.com/mozilla/gecko-dev/tree/master/js/src/jit) 162 | 163 | 164 | ## Safari (Webkit) 165 | 166 | [Project](https://webkit.org/) | 167 | [GitHub](https://github.com/WebKit/webkit) 168 | 169 | 170 | The JavaScript-Engine of Webkit is JavaScriptCore (JSC). 171 | 172 | ### JavaScriptCore 173 | 174 | [Project](https://developer.apple.com/documentation/javascriptcore) | 175 | [Wiki](https://trac.webkit.org/wiki/JavaScriptCore) | 176 | [Source](https://github.com/WebKit/webkit/tree/master/Source/JavaScriptCore) 177 | 178 | Articles: 179 | * http://www.filpizlo.com/papers.html 180 | 181 | ##### Source 182 | * Runtime: [Source/JavaScriptCore/runtime](https://trac.webkit.org/browser/webkit/trunk/Source/JavaScriptCore/runtime) 183 | 184 | #### Build (Ubuntu 18.04): 185 | 186 | ``` 187 | # sudo apt install libicu-dev python ruby bison flex cmake build-essential ninja-build git gperf 188 | $ git clone git://git.webkit.org/WebKit.git && cd WebKit 189 | $ Tools/gtk/install-dependencies 190 | $ Tools/Scripts/build-webkit --jsc-only --debug 191 | $ cd WebKitBuild/Release 192 | $ LD_LIBRARY_PATH=./lib bin/jsc 193 | ``` 194 | 195 | 196 | #### JIT-Compiler: LLInt+ Baseline JIT + DFG JIT + FTL JIT 197 | 198 | WebKit has a 4-Layer JIT-Compiler system, representing the tradeoff between overhead performance cost and performance benefit. 199 | 200 | Articles: 201 | * [Introduction to Webkit's JavaScript JIT Optimizations](https://webkit.org/blog/3362/introducing-the-webkit-ftl-jit/) 202 | * [Introducing the B3 JIT Compiler](https://webkit.org/blog/5852/introducing-the-b3-jit-compiler/) 203 | 204 | ##### Source 205 | * [LLInt (Low Level Interpreter)](https://trac.webkit.org/browser/trunk/Source/JavaScriptCore/llint) 206 | * [Baseline JIT](https://trac.webkit.org/browser/trunk/Source/JavaScriptCore/jit) 207 | * [DFG JIT (Data Flow Graph JIT)](https://trac.webkit.org/browser/trunk/Source/JavaScriptCore/dfg) 208 | * [FTL JIT (Faster Than Light Just In Time compiler)](https://trac.webkit.org/browser/trunk/Source/JavaScriptCore/ftl) 209 | 210 | 211 | 212 | 213 | 214 | ## Edge (Blink/EdgeHTML) 215 | 216 | [Project](https://www.microsoft.com/en-us/windows/microsoft-edge) | 217 | [GitHub](https://github.com/MicrosoftEdge) 218 | 219 | 220 | Since Edge switched to Blink and the Chromium Project as its Rendering-Engine, Edge is using v8. 221 | Originally, Edge had is own Rendering-Engine called EdgeHTML, which used the ChakraCore JavaScript-Engine. 222 | 223 | ### ChakraCore 224 | 225 | [GitHub](https://github.com/Microsoft/ChakraCore) | 226 | [How2Build](https://github.com/Microsoft/ChakraCore/wiki/Building-ChakraCore#linux) 227 | 228 | #### Docs 229 | * [Architecture Overview](https://github.com/Microsoft/ChakraCore/wiki/Architecture-Overview) 230 | 231 | #### Source 232 | * Runtime: [Types](https://github.com/Microsoft/ChakraCore/tree/master/lib/Runtime/Types) 233 | * Runtime: [Language](https://github.com/Microsoft/ChakraCore/tree/master/lib/Runtime/Language) 234 | 235 | 236 | #### Build (Ubuntu 18.04): 237 | 238 | ``` 239 | # To build ChakraCore on Linux: (requires Clang 3.7+ and Python 2) 240 | $ apt-get install -y git build-essential cmake clang libicu-dev libunwind8-dev 241 | $ git clone https://github.com/Microsoft/ChakraCore && cd ChakraCore 242 | $ ./build.sh --cc=/usr/bin/clang-3.9 --cxx=/usr/bin/clang++-3.9 --arch=amd64 --debug 243 | $ out/Debug/ch 244 | ``` 245 | 246 | # Exploitation 247 | 248 | ## Exploitation-Overview 249 | 250 | * Saelo: [Attacking JavaScript-Engines](http://www.phrack.org/papers/attacking_javascript_engines.html) 251 | * [Awesome-Browser-Exploitation](https://github.com/Escapingbug/awesome-browser-exploit) 252 | * [Attacking WebKit applications (Slides)](https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf) 253 | * Saelo: Attacking Client-Side JIT Compilers - BlackHat 2018 254 | * [Video](https://youtu.be/emt1yf2Fg9g) 255 | * [Slides](https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf) 256 | * j0nathanj: From Zero to ZeroDay (Finding a Chakra Zero Day) 257 | * [Video](https://media.ccc.de/v/35c3-9657-from_zero_to_zero_day) 258 | [Slides](https://github.com/j0nathanj/Publications/tree/master/35C3_From_Zero_to_Zero_Day) 259 | * Saelo: Fuzzili - (Guided-)fuzzing for JavaScript engines 260 | * [Video](https://www.youtube.com/watch?v=OHjq9Y66yfc) 261 | * [Slides](https://saelo.github.io/presentations/offensivecon_19_fuzzilli.pdf) 262 | 263 | 264 | 265 | ## Chromium Pwn 266 | 267 | ### Articles 268 | * [Exploiting TurboFan Through Bounds Check Elimination](https://gts3.org/2019/turbofan-BCE-exploit.html) 269 | * saelo: Exploiting Logic Bugs in JavaScript JIT Engines 270 | * [Phrack Article](http://phrack.org/papers/jit_exploitation.html) 271 | * [41con 19' slides](https://saelo.github.io/presentations/41con_19_jit_exploitation_tricks.pdf) 272 | 273 | ### CTF-Challenges 274 | * 34c3: v9 275 | * [Sources](https://github.com/saelo/v9) 276 | * [WriteUp](https://gist.github.com/itsZN/9ae6417129c6658130a898cdaba8d76c) (Exploit-Script) 277 | * 35c3: Krautflare 278 | * [Files](https://abiondo.me/assets/ctf/35c3/krautflare-33ce1021f2353607a9d4cc0af02b0b28.tar) 279 | * [WriteUp](https://abiondo.me/2019/01/02/exploiting-math-expm1-v8/) 280 | * [WriteUp](https://www.jaybosamiya.com/blog/2019/01/02/krautflare/) 281 | * CSAW-Finals-2018: ES1337 282 | * [Files+WriteUp](https://github.com/osirislab/CSAW-CTF-2018-Finals/tree/master/pwn/ES1337) 283 | * Plaid CTF 2018: Roll a dice 284 | * [Files](https://github.com/m1ghtym0/write-ups/tree/master/browser/plaid-2018-roll-a-dice) 285 | * [WriteUp](https://gist.github.com/saelo/52985fe415ca576c94fc3f1975dbe837) 286 | * [WriteUp](https://ctftime.org/writeup/9999) 287 | * Google CTF Finals 2018: Just In Time 288 | * [Files+WriteUp](https://github.com/google/google-ctf/tree/master/2018/finals/pwn-just-in-time) 289 | * [Slides](https://github.com/google/google-ctf/blob/master/2018/finals/solutions.pdf) 290 | * [WriteUp](https://xz.aliyun.com/t/3348) 291 | * *CTF 2019: oob-v8 292 | * [Files](https://github.com/Changochen/CTF/raw/master/2019/*ctf/Chrome.tar.gz) 293 | * [WriteUp](https://changochen.github.io/2019-04-29-starctf-2019.html) 294 | * [WriteUp](https://github.com/vngkv123/aSiagaming/blob/master/Chrome-v8-oob/README.md) 295 | * [WriteUp](https://github.com/alstjr4192/BGazuaaaaa/blob/master/*CTF%202019%20oob/pwn.js) 296 | * RealWorldCTF Quals 2019: accessible 297 | * [Files](https://github.com/m1ghtym0/write-ups/tree/master/browser/realworldctf-quals-2019-accessible) 298 | * [WriteUp](https://mem2019.github.io/jekyll/update/2019/09/16/Real-World-2019-Accessible.html) 299 | 300 | ### RealWorld 301 | * [MobilePwn2Own 2013 - Chrome on Android](https://docs.google.com/document/d/1tHElG04AJR5OR2Ex-m_Jsmc8S5fAbRB3s4RmTG_PFnw/edit) 302 | * https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/ 303 | * niklasb: Chrome IPC Exploitation 304 | * [Video](https://www.youtube.com/watch?v=MMxtKq8UgwE) 305 | * [Slides](https://github.com/phoenhex/files/blob/master/slides/chrome_ipc_exploitation_offensivecon19.pdf) 306 | * [CVE-2019-5782 Write-Up](https://github.com/vngkv123/aSiagaming/tree/master/Chrome-v8-906043) 307 | * [CVE-2019-5790](https://labs.bluefrostsecurity.de/blog/2019/04/29/dont-follow-the-masses-bug-hunting-in-javascript-engines/) 308 | * [CVE-2019-5786 Chrome Remote Code Execution Vulnerability Analysis](https://www.weibo.com/ttarticle/p/show?id=2309404351596157885398) 309 | 310 | 311 | ### Hardening & Mitigations 312 | * [Heap-hardening](https://struct.github.io/oilpan_metadata.html) 313 | 314 | 315 | 316 | ## Firefox Pwn 317 | ### Articles 318 | 319 | * [Playing around with SpiderMonkey](https://vigneshsrao.github.io/posts/play-with-spidermonkey/) 320 | * [OR'LYEH? The Shadow over Firefox](http://www.phrack.org/issues/69/14.html) 321 | * [A journey into IonMonkey: root-causing CVE-2019-9810](https://doar-e.github.io/blog/2019/06/17/a-journey-into-ionmonkey-root-causing-cve-2019-9810/) 322 | 323 | ### CTF-Challenges 324 | * 33c3: Feuerfuchs 325 | * [Sources](https://github.com/saelo/feuerfuchs) 326 | * [WriteUp](https://bruce30262.github.io/Learning-browser-exploitation-via-33C3-CTF-feuerfuchs-challenge/) 327 | * [WriteUp+Build](https://github.com/m1ghtym0/write-ups/tree/master/browser/33c3ctf-feuerfuchs) 328 | * Blaze 2018: blazefox 329 | * [Sources](https://ctftime.org/task/6000) 330 | * [WriteUp](https://devcraft.io/2018/04/27/blazefox-blaze-ctf-2018.html) 331 | * [WriteUp](https://gist.github.com/niklasb/4bddc9e8f32c3bd277ed26d66d488834) (Exploit-Script) 332 | * [WriteUp](https://github.com/Jinmo/ctfs/blob/master/2018/blaze/pwn/blazefox.html) (Exploit-Script) 333 | * [Build+WriteUp](https://github.com/m1ghtym0/write-ups/tree/master/browser/blaze-ctf-2018-blazefox) 334 | * 35c3 FunFox 335 | * [Sources](https://github.com/bkth/35c3ctf/tree/master/funfox) 336 | ### RealWorld 337 | * Introduction to SpiderMonkey exploitation 338 | * [Article](https://doar-e.github.io/blog/2018/11/19/introduction-to-spidermonkey-exploitation/) 339 | * Use-after-free in Spidermonkey (Beta 53) 340 | * [Article](https://phoenhex.re/2017-06-21/firefox-structuredclone-refleak#turning-a-use-after-free-into-a-readwrite-primitive) 341 | * [Talk](https://www.youtube.com/watch?v=D_9EFWYnBik) 342 | * [Slides](https://grehack.fr/data/2017/slides/GreHack17_Get_the_Spidermonkey_off_your_back.pdf) 343 | * https://saelo.github.io/posts/firefox-script-loader-overflow.html 344 | * Use-after-free in SpiderMonkey (64.0a1) 345 | * [Article](https://www.zerodayinitiative.com/blog/2019/7/1/the-left-branch-less-travelled-a-story-of-a-mozilla-firefox-use-after-free-vulnerability) 346 | * CVE-2019-11707 Type Confusion 347 | * [WriteUp](https://blog.bi0s.in/2019/08/18/Pwn/Browser-Exploitation/cve-2019-11707-writeup/) 348 | * [Report](https://bugs.chromium.org/p/project-zero/issues/detail?id=1820) 349 | * CVE-2019-11708 & CVE-2019-9810 350 | * [WriteUp](https://github.com/0vercl0k/CVE-2019-11708) 351 | 352 | 353 | ## Safari Pwn 354 | ### CTF-Challenges 355 | * RealWorldCTF 2018: Engine for Neophytes 356 | * [Files](http://mightym0.de/ctf/rwctf-2018/allForPlayers.zip) 357 | * 35c3: WebKid 358 | * [Sources](https://github.com/saelo/35c3ctf/tree/master/WebKid) 359 | * [WriteUp](https://github.com/LinusHenze/35C3_Writeups/tree/master/WebKid) 360 | ### RealWorld 361 | * http://www.phrack.org/papers/attacking_javascript_engines.html 362 | * [Source](https://github.com/saelo/jscpwn) 363 | * [WriteUp+Build](https://github.com/m1ghtym0/write-ups/tree/master/browser/CVE-2016-4622) 364 | * [Fuzzing Webkit and analysis of CVE-2019-8375](https://www.inputzero.io/2019/02/fuzzing-webkit.html) 365 | * [CVE-2017-2446 WriteUp](https://doar-e.github.io/blog/2018/07/14/cve-2017-2446-or-jscjsglobalobjectishavingabadtime/) 366 | * https://saelo.github.io/posts/jsc-typedarray.slice-infoleak.html 367 | * https://github.com/saelo/pwn2own2018/tree/master/stage0 368 | * https://github.com/LinusHenze/WebKit-RegEx-Exploit 369 | * https://github.com/W00dL3cs/exploit_playground/tree/master/JavaScriptCore 370 | 371 | ### Hardening & Mitigations 372 | * [Heap-hardening](https://labs.mwrinfosecurity.com/blog/some-brief-notes-on-webkit-heap-hardening/) 373 | * CagedPtr [Source](https://github.com/WebKit/webkit/blob/master/Source/WTF/wtf/CagedPtr.h) & [ArrayBuffer Example](https://bugs.webkit.org/show_bug.cgi?id=175515) 374 | 375 | 376 | 377 | ## Edge 378 | 379 | ### Articles 380 | 381 | * bkth: [Tale of Chakra Bugs](https://github.com/bkth/Tale-Of-Chakra-Bugs) 382 | * bkth: Attacking Edge Through the JavaScript-Compiler 383 | * [Video](https://www.youtube.com/watch?v=r4J7Zu1RV40) 384 | * [Slides](https://github.com/bkth/Attacking-Edge-Through-the-JavaScript-Compiler) 385 | 386 | ### CTF-Challenges 387 | * Plaid 2017: chakrazy 388 | * [WriteUp](https://bruce30262.github.io/Chakrazy-exploiting-type-confusion-bug-in-ChakraCore/) 389 | * N1CTF 2018: Chakra 390 | * [Files](https://github.com/Nu1LCTF/n1ctf-2018/tree/master/challenges/pwn/Chakra) 391 | * RealWorldCTF Quals 2019: Appetizer 392 | * [Files](https://github.com/m1ghtym0/write-ups/tree/master/browser/realworldctf-quals-2019-appetizer) 393 | * Trend Micro CTF 2019: ChakraCore 400 394 | * [WriteUp](https://theromanxpl0it.github.io/articles/2019/09/09/Trend-Micro-CTF-ChakraCore-JIT-exploitation.html) 395 | * [WriteUp](https://balsn.tw/ctf_writeup/20190906-trendmicroctfqual/#400) 396 | * [Exploit](https://gist.github.com/itszn/3277e8aa56c91f8296d88d25d96df717) 397 | ### RealWorld 398 | * bkth, S0rryMyBad: [Non JIT Bug, JIT Exploit](https://phoenhex.re/2019-05-15/non-jit-bug-jit-exploit) 399 | 400 | # Tools 401 | 402 | ## Libraries: 403 | * [pwnjs (A Javascript library for browser exploitation) ](https://github.com/theori-io/pwnjs) 404 | 405 | ## Utils 406 | * [int64.js](https://github.com/saelo/jscpwn/blob/master/int64.js) 407 | * [utils.js](https://github.com/saelo/jscpwn/blob/master/utils.js) 408 | 409 | ## Debugging 410 | * [shadow](https://github.com/CENSUS/shadow) jemalloc heap exploitation framework (heap allocator used by Firefox) 411 | # JavaScript (ECMAScript) Docs 412 | 413 | * [Types&Values](http://www.ecma-international.org/ecma-262/6.0/#sec-ecmascript-data-types-and-values) 414 | * [Objects](http://www.ecma-international.org/ecma-262/6.0/#sec-objects) 415 | * [Object-Properties](https://tc39.github.io/ecma262/#sec-property-attributes) 416 | --------------------------------------------------------------------------------