What is old becomes new

It turns out that vulnerability classes that typically do not exist in web applications enter into the web app context with the advent of Wasm. Actually, these vulnerability classes are not new in themselves, rather they are from the 90’s – but they are new in the sense that they have typically not been seen in a web app context before Wasm came along. In this whitepaper, we will look at some examples of these vulnerability classes.

It turns out that vulnerability classes that typically do not exist in web applications enter into the web app context with the advent of Wasm.

Specifically, most issues we will cover are related to memory safety, and the old vulnerability classes we will look at are the following:

Buffer overflow

Buffer overread in an integer overflow scenario

Function pointer overwrite: redirection of execution to similar function

Function pointer overwrite: redirection of execution to non-similar function

Format string bugs

Our viewpoint for these is how these vulnerability classes may affect Wasm web applications written in memory-unsafe languages. The discussion of each vulnerability class is accompanied by some very simple example of vulnerable code, showing how to exploit it.

Figure 1 - Command injection against a database achieved via a buffer overflow in a Wasm module

We will also briefly look at Wasm in terms of Use-After-Free bugs, before rounding up with a high-level comparison of exploitation of Wasm applications vs native applications.

Download link

The full technical analysis is available for download here.