Webbrowser
Contents
Web Content Guidelines[edit]
- PS Vita Web Content Guidelines v3.00
- PS3 Web Content Guidelines v3.10
- PS4 Web Content Guidelines v1.50
Supports[edit]
- Cookies
- Javascript 1.7
- partial HTML 5
- Partial Video support (added from 2.10 update)
Not supported[edit]
- Flash
- Youtube (no HTML5: video)
Known Useragents[edit]
PlayStation Vita YouTube/1.0 libhttp/1.67 (PS Vita) PlayStation Vita YouTube/2.1 libhttp/2.60 (PS Vita)
Useragent (Vita TV has trailing "Silk/3.2 VTE/2.50" or "Silk/3.2 VTE/3.30" as subidentifier):
Table below indicates known and unknown. "YES" = known vulnerability in use, "NO" = unknown if vulnerability in use.
| useragent | version | vulnerability |
|---|---|---|
| Mozilla/5.0 (PlayStation Vita 1.00) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.000.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.03) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.030.010 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.04) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.040.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.05) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.050.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.06) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.060.010 | Yes |
| Mozilla/5.0 (Playstation Vita 1.50) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.500.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.51) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.510.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.52) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.520.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.60) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.600.000 | Yes |
| Mozilla/5.0 (Playstation Vita 1.61) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.610.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.65) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.650.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.66) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.660.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.67) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.670.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.69) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.690.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.80) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.800.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.81) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.810.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.000.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.010.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.02) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.020.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.05) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.050.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.06) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.060.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.100.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.11) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.110.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.120.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.50) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.500.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.60) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.600.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.61) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.610.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.000.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.010.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.100.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.120.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.15) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.150.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.18) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.180.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.20) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.200.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.30) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.300.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.35) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.350.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.36) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.360.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.50) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.500.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.52) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.520.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.55) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.550.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.57) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.570.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.60) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.600.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.610.000 | No |
Webkit exploits[edit]
Terminology[edit]
An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.
An information security exposure is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.
Common Vulnerabilities and Exposures list[edit]
1.50-1.81 (CVE-2010-1807 and CVE-2010-4577)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
- http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577
- https://code.google.com/p/chromium/issues/detail?id=63866
2.00-3.20 (CVE-2013-0903-1)
- Acama's write-up
- http://packetstormsecurity.com/files/123088/
- http://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html
- related to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748
3.30-3.36 (CVE-2014-1303)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1303
- http://wololo.net/2015/04/22/new-webkit-exploit-found-vita-maybe-playstation-4
- https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF
- https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf
- https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf
3.50-3.60 (no CVE at the time it was written, credits to xyz)
Repositories[edit]
<=1.81 webkit exploit PoC:
- article by Davee
- discarded repro reduction for <=1.81 by Josh Axey
1.50-1.69-1.80 HTMLit:
- htmlit by Davee
ROPtool:
- roptool article by Davee
- old version by Davee
- first release by Davee
- new version by Davee
1.61 files for HTMLit and ROPtool:
- files+webkitby xyz
1.80 files for ROPtool:
- files by Davee
1.81 ROP:
- Support_Uri ROP script by SMOKE
- VitaROP by SMOKE
2.60 webkit exploit PoC:
- credits article
- psvita-260-webkit by Davee
- psvita-webkit by Davee
3.18 webkit exploit PoC:
- codelion_poc by Codelion and BrianBTB
3.01-3.15-3.18 memory dumping:
- memory-splicer by Archaemic
- JSoS-Module-Dump-Release by BrianBTB
- http://pastie.org/private/ugchhaqctvmw5rrg5w37ka <- load more modules for the JSoS module dumper :)
- memtools_vita by BrianBTB
3.15-3.18 webkitties:
- webkitties by Acama
3.00-3.15-3.18 vitasploit:
- vitasploit (dead link) by Hykem
- vitasploit (mirror) by Hykem
2.02-2.12-3.00-3.01-3.18 vitasploit:
- vitasploit by xyz
3.36 webkit exploit:
- 3.36 webkit exploit by xyz
2.00-2.01-2.02-2.05-2.10-2.11-2.12-2.50-2.60-2.61-3.00-3.01-3.10-3.12-3.18-3.20 + 3.30-3.35-3.36 vitasploit:
- vitasploit by Sorvigolova
Other tools:
- vitadump IDA plugin by xyz
Online Tests[edit]
Webkit Modules[edit]
- (3.18 dump) dead link
| Module | Remark |
|---|---|
| SceAacenc | |
| SceActivityDb | |
| SceAppUtil | |
| SceAtrac | |
| SceAudiocodec | |
| SceAvcodecUser | |
| SceAvPlayer | |
| SceBeisobmf | |
| SceBemp2sys | |
| ScebXCe | |
| SceCheckoutDialogPlugin | |
| SceClipboard | |
| SceCommonDialog | |
| SceCommonGuiDialog | |
| SceDbrecoveryUtility | |
| SceDbutil | |
| SceDriverUser | |
| SceDrmPsmKdc | |
| SceFiber | |
| SceFriendListDialogPlugin | |
| SceGpuEs4User | |
| SceGxm | |
| SceHafnium | |
| SceHandwriting | |
| SceIme | |
| SceImeDialogPlugin | |
| SceIniFileProcessor | |
| SceJpegArm | |
| SceJpegEncArm | |
| SceLibc | |
| ScelibDbg | |
| SceLibFios2 | |
| SceLibft2 | |
| SceLibG729 | |
| SceLibGameUpdate | |
| SceLibHttp | |
| SceLibJson | |
| SceLibKernel | |
| SceLibLocation | |
| SceLibLocationExtension | |
| SceLibMp4Recorder | |
| SceLibNetCtl | |
| SceLibPgf | |
| SceLibPspnetAdhoc | |
| SceLibPvf | |
| SceLibRudp | |
| SceLibSsl | |
| SceLibVitaJSExtObj | |
| SceLibXml | |
| SceLiveAreaUtil | |
| SceMp4 | |
| SceMsgDialogPlugin | |
| SceMusicExport | |
| SceNearDialogUtil | |
| SceNearProfile | |
| SceNearUtil | |
| SceNet | |
| SceNetAdhocMatching | |
| SceNetCheckDialogPlugin | |
| SceNgsUser | |
| SceNotificationUtil | |
| SceNpActivity | |
| SceNpActivityNet | |
| SceNpBasic | |
| SceNpCommerce2 | |
| SceNpCommon | |
| SceNpCommonPs4 | |
| SceNpFriendPrivacyLevel | |
| SceNpKdc | |
| SceNpManager | |
| SceNpMatching2 | |
| SceNpMessage | |
| SceNpMessageContactsPlugin | |
| SceNpMessageDialogPlugin | |
| SceNpMessageDlgImplPlugin | |
| SceNpPartyGameUtil | |
| SceNpScore | |
| SceNpSignaling | |
| SceNpSnsFacebook | |
| SceNpTrophy | |
| SceNpTus | |
| SceNpUtility | |
| SceNpWebApi | |
| ScePaf | |
| ScePartyMemberListPlugin | |
| ScePhotoExport | |
| ScePhotoImportDialogPlugin | |
| ScePhotoReviewDialogPlugin | |
| ScePromoterUtil | |
| ScePsp2Compat | |
| SceSasUser | |
| SceSaveDataDialogPlugin | |
| SceScreenShot | |
| SceShellSvc | |
| SceShutterSound | |
| SceSqlite | |
| SceSqliteVsh | |
| SceStoreCheckoutPlugin | |
| SceSystemGesture | |
| SceTeleportClient | |
| SceTeleportServer | |
| SceTrophySetupDialogPlugin | |
| SceUlt | |
| SceVideoExport | |
| SceVoice | |
| SceVoiceQoS | |
| SceWebFiltering | |
| SceWebKit | |
| SceWebKitProcess |
Browsertests[edit]
Access to the PS3 Store and get content in Vita[edit]
Video
PS Vita's browser has some secrets function, such as enter in ps store or open an app.
For example:
| psns:browse?category=PN.P3.US-PN.P3.GAME.US-BASE | opens PS3 store US region |
|---|---|
| psns:browse?product=IP9100-PCSI00002_00-MUSICUNLIMITED00 | opens Music Unlimited product |
How it works
psns:browse
This command supports several arguments, the most usables are:
psns:browse?category= psns:browse?product=
By defining a category or product ID, this command will redirect you to the PSN Store and show you the chosen category/product. A few examples:
The syntax for categories works as follows:
PN + CONSOLE ID + REGION ID + PN + CONSOLE ID + STORE ID + REGION ID + PAGE
Common Console ID's are:
P3 --> PS3 VT --> PS VITA PC --> MEDIA GO / PSP
Common Store ID's are:
GAME or VIDEO
Redeem Comand
psns:redeem?code1=123&code2=456&code3=789
This command will immediantly prompt you to the PSN Stores' redeem function, taking the arguments with it.
