Fuzzing npm/nodejs WebAssembly parsing library with jsfuzz
I asked recently on twitter what should be my next blogpost subject and voters choose this one, so here it is.
Just a quick reminder before we start, if you are interested about WebAssembly security (both reversing and fuzzing), my next publics trainings will be in:
1. Fuzzer: Jsfuzz
Jsfuzz is both user-friendly and efficient, especially when fuzzing parsing libraries. You will only need to implement the following function to start fuzzing your target. All the fuzzing/mutation logic, coverage collection and crash detection will be handle by jsfuzz.
2. Target: @webassemblyjs/wasm-parser
webassemblyjs is a set of 22 dedicated packages for WebAssembly module manipulation. Most of them are really popular npm package with more than 6 millions weekly downloads each, like those ones:
3. Setup the fuzz target script
The process to setup a fuzz target script with jsfuzz is extremely simple. The first step is to create a corpus of valid WebAssembly module like the ones on Mozilla github repository: MDN webassembly-examples.
Then, run the fuzzer with the following command:
jsfuzz fuzz-wasm-parser.js corpus-wasm
4. Result: OOM/DoS of nodejs triggered
Once most common exceptions are handled using try/catch, jsfuzz will start to generate fuzzing status logs and eventually crash like the following picture.
This bug is triggered really quickly (less than a minute) by the fuzzer with my wasm module corpus.
I quickly minimized the crashing buffer, create a reproducer JS file and directly open an issue on webassemblyjs github repository.
Final reminder, If you want to learn/discover more about WebAssembly security (both reversing and fuzzing), my next public trainings will be in:
If you want to contact me for consulting, please DM me on Twitter/LinkedIn or use the following contact form.