Address Space Layout Randomization(ASLR) and Data Execution Prevention (DEP) and Control Flow Guard (CFG) are default exploit mitigations technique on Windows 10 platform. ASLR and DEP and CFG mitigation significantly increases the difficulty of exploit. In Windows 10, even if you have the ability to arbitrarily address read/write, you still need to find ways to bypass CFG mitigation.This talk will be divided into two parts. The first part will introduce a new method to bypass CFG and DEP mitigations; it uses the Edge Shim's dark side to bypass CFG and DEP, get arbitrary code execution with no ROP. This method got the Microsoft Mitigation Bypass Bounty and have the following advantages:No need ROP to exploitThe stability of the exploit is goodBypass the CFG and DEP at the same timeThe second part will discuss how to bypass ASLR. Dynamic language use garbage collect to management memory. According to whether the distinction between data and pointer, divided into conservative garbage collection and accurate garbage collection. Microsoft Browser Internet Explorer JavaScript engine jscript9 and Microsoft Edge JavaScript engine chakra, use the conservative mark-sweep garbage collection management memory. Using the conservative garbage collection weakness, we can bypass the ASLR mitigation with no vulnerability. This part consists of three aspects:The weakness of conservative garbage collection and How Microsoft do their improvement to defend this weaknessHow to overcome Microsoft's improvement and use the weakness to exploit Internet Explorer and Microsoft Edge. Because the jscript9 engine and chakra engine have some different in the implemention.so the exploit method may be some different. And Microsoft Edge chakra engine is strong than Internet Explorer jscript9 engine, we will discuss how to overcome the difficult to exploit Microsoft EdgeGive three exploit demo. Microsoft Edge Exploit on windows 10, Internet Explorer Exploit on windows 7 and windows 10