People tend to think exploiting browsers is about buffer overflows and complicated sandboxes escapes. Testing for these type of bugs can be largely automated, but requires a lot of technical knowledge and usually involves using a large set of tools.
Although this is the main source of browser vulnerabilities, browser exploits relying on business logic bugs can easily be created by people with less technical knowledge about these components. A rather significant amount of browser vulnerabilities could be discovered in a black-box way of testing by simply challenging the logic of the sandbox and other security measures. I will present the techniques used and the vulnerabilities I found over the course of the last 2 years.