TOORCON 21 | 4-Day WebAssembly Security Training

Dates: 04th Nov – 07th Nov 2019
(4 days)
Hosted by: ToorCon – San Diego 2019
Location: The Point, 1010 Santa Clara Pl, San Diego, CA 92109
Instructor: Patrick Ventuzelo
Availability: 20 Seats
Language: English


WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C. This new format have been designed to be “Efficient and fast“, “Debuggable“ and “Safe” that why it is often called as the “game changer for the web”.

WebAssembly is used everywhere (not exhaustive):

Web-browsers (Desktop & Mobile)
Cryptojacking (Coinhive, Cryptoloot)
Servers (Nodejs, React, Cloudflare workers) 
Video games (Unity, UE4)
Blockchain platforms (EOS/Ethereum/Dfinity)
Linux Kernel (Cervus, Nebulet)

This courses will give you all the prerequisites to understand what’s a WebAssembly module and its associated virtual machine. At the end of this intensive 4 days, you will be able to reverse statically and dynamically a WebAssembly module, analyze its behavior, create detection rule and search for vulnerability insides. You will learn which security measures are implemented by the WebAssembly VM to validate and handle exceptions. Finally, you will discover how to find vulnerabilities inside WebAssembly VMs (Web-browsers, Standalone VM) using differents fuzzing techniques.

Along this training, students will deal with a lots of hands-on exercises allowing them to internalize concepts and techniques taught in class.


4000$ (First 5 registration)
4500$ (until 04 November 2019)


Trainings are also available at a location of your choice.


Day 1 – WebAssembly Reversing

Introduction to WebAssembly
WebAssembly VM architecture
WebAssembly toolchain
Writing examples in C/C++/Rust/C#
Debugging WebAssembly module
WASM binary format (header, sections, …)
WebAssembly Text Format (wat/wast)
WebAssembly Instructions set
Writing examples using WASM Text format
Reversing WebAssembly module
CFG & CallGraph reconstruction
DataFlowGraph analysis

Day 2 – Real-life Modules Analysis

Modules Instructions analytics/metrics
WASM cryptominers analysis
Pattern detection signatures (YARA rules, …)
Taint Tracking
Dynamic Binary Instrumentation
Bytecode (De)-Obfuscation techniques
Static Single Assignment & Decompilation
Real-life WASM module analysis
WebAssembly video game hacking

Day 3 – Wasm Modules Vulnerabilities

Traps & Exception handling
WebAssembly module vulnerabilities
Integer/Buffer/Heap Overflows
Advanced vulnerabilities (UaF, TOCTOU…)
CFI Hijacking
Emscripten vulnerabilities
Exploitation NodeJS server running wasm module
Vulnerability detection (Static & Dynamic)
Lifting WASM bytecode
Fuzzing WebAssembly modules

Day 4 – Vulnerability Research inside Wasm VM

Web-Browsers CVEs analysis (PoC)
WebAssembly VM & Interpreter vulnerabilities
WebAssembly JS APIs generation
Fuzzing Web-Browsers (Chrome, Firefox, WebKit)
WASM module validation mechanism
Writing edge case module
WAT, WAST & WASM grammar generation
Interesting VM targets (kernel, blockchain, …)
Fuzzing C/C++/Rust/Go based WASM project
WebAssembly for Security Researcher



Basic reverse engineering skills.
Familiarity with scripting languages (Python, Bash).
Familiarity with C/C++ or Rust programming.


A notebook capable of running virtual machines.
Enough hard disk space to run VM

Minimum Software to Install

Virtual machine (VirtualBox preferred)
Administrator / root access required.
IDA helpful, but not required.

Early Bird

  • Course material (~600 slides in pdf)
  • Training VM (softwares/tools)
  • Certificat of Completion
  • Toorcon Admission Blue 3 Day Pass


  • Course material (~600 slides in pdf)
  • Training VM (softwares/tools)
  • Certificat of Completion
  • Toorcon Admission Blue 3 Day Pass

Onsite Training

We offer the world’s first WebAssembly security training. Our onsite trainings start at just 5 participants. We recommend 4 or 5 day formats to our customers. Customization of the training (like blockchain smart contract focused) is possible, but subject to an extra fee for the additional effort.

Check out the complete training content we can offer.