Back to All Events

WebAssembly Security from Reversing to Vulnerability Research

WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C. This new format have been designed to be “Efficient and fast“, “Debuggable“ and “Safe” that why it is often called as the “game changer for the web”. WebAssembly start to be used everywhere (not exhaustive):

  • Web-browsers (Desktop & Mobile)

  • Cryptojacking (Coinhive, Cryptoloot)

  • Servers (Nodejs, React, Cloudflare workers)

  • Video games (Unity, UE4)

  • Blockchain platforms (EOS/Ethereum/Dfinity)

  • Linux Kernel (Cervus, Nebulet)

  • Etc.

This courses will give you all the prerequisites to understand what’s a WebAssembly module and its associated virtual machine. At the end of this intensive 4 days, you will be able to reverse statically and dynamically a WebAssembly module, analyze its behavior, create detection rule and search for vulnerability insides. You will learn which security measures are implemented by the WebAssembly VM to validate and handle exceptions. Finally, you will discover how to find vulnerabilities inside WebAssembly VMs (Web-browsers, Standalone VM) using different fuzzing techniques. Along this training, students will deal with a lots of hands-on exercises allowing them to internalize concepts and techniques taught in class. Hope you will like it !!

Intended Audience

This class is intended for everyone that want to understand deeper how WebAssembly works such as:

  • Malware analysts dealing with detection signatures.

  • Pentester planning to audit WebAssembly module.

  • Vulnerability researchers looking for new targets.

  • Developers that start using WebAssembly.

  • Smart contract auditors.

  • Etc.


Day 1

  • Introduction to WebAssembly

  • WebAssembly VM architecture

  • WebAssembly toolchain

  • Writing examples in C/C++/Rust/C#

  • Debugging WebAssembly module

  • WASM binary format (header, sections, ...)

  • WebAssembly Text Format (wat/wast)

  • WebAssembly Instructions set

  • Writing examples using WASM Text format

  • Reversing WebAssembly module

  • CFG & CallGraph reconstruction

  • DataFlowGraph analysis

Day 2

  • Modules Instructions analytics/metrics

  • WASM cryptominers analysis

  • Pattern detection signatures (YARA rules, ...)

  • Taint Tracking

  • Dynamic Binary Instrumentation

  • Bytecode (De)-Obfuscation techniques

  • Static Single Assignment & Decompilation

  • Real-life WASM module analysis

  • WebAssembly video game hacking

Day 3

  • Traps & Exception handling

  • WebAssembly module vulnerabilities

  • Integer/Buffer/Heap Overflows

  • Advanced vulnerabilities (UaF, TOCTOU...)

  • CFI Hijacking

  • Emscripten vulnerabilities

  • Exploitation NodeJS server running wasm module

  • Vulnerability detection (Static & Dynamic)

  • Lifting WASM bytecode

  • Fuzzing WebAssembly modules

Day 4

  • Web-Browsers vulnerabilities analysis (CVEs PoC)

  • WebAssembly VM & Interpreter vulnerabilities

  • WebAssembly JS APIs generation

  • Fuzzing Web-Browsers (Chrome, Firefox, WebKit)

  • WASM module validation mechanism

  • Writing edge case module

  • WAT, WAST & WASM grammar generation

  • Interesting VM targets (kernel, blockchain, ...)

  • Fuzzing C/C++/Rust/Go based WASM project

  • WebAssembly for Security Researcher

Class Requirements


  • Basic reverse engineering skills.

  • Familiarity with scripting languages (Python, Bash).

  • Familiarity with C/C++ or Rust programming.



  • A notebook capable of running virtual machines.

  • Enough hard disk space to run VM

Minimum Software to Install

  • Virtual machine (VirtualBox preferred)

  • Administrator / root access required.

  • IDA helpful, but not required.

Patrick Ventuzelo

Patrick Ventuzelo is a French independent security researcher specializing in vulnerability research, reverse engineering, security tool development, and program analysis. Patrick is the author of Octopus, the first open-source security analysis tool that support WebAssembly and multiple blockchain smart contract to help researchers perform analysis on closed-source bytecode.

Previously, he worked for Quoscient GmbH, P1 Security, the French Department Of Defense and Airbus D&S Cybersecurity.

Patrick has been speaker and trainer at various international conferences such as REcon Montreal, Toorcon,, Northsec, REcon Brussels, SSTIC, BlackAlps, FIRST, Microsoft DCC, Devcon, etc.

Twitter: @Pat_Ventuzelo

Personal blog: