In this year's UIUCTF, they provided an interesting web challenge called Pwnypass, which revealed an intriguing timing-based behavior in the browser during navigation that can be leveraged by attackers. I give it a fancy name: EAR (Execution After Redirect) attack on the client side.
Recently, I start to maintain a repo related to 'web-pwn' in the github, which refer to the exploitation of memory-related vulnerabilities within essential web components like browsers, JavaScript runtimes, PHP runtimes, and others.