11. Web Assembly (WASM)
1. What is WebAssembly (WASM) on the Web?
1.1 BLUF
WebAssembly (.wasm) is a low-level binary format that allows developers to run fast, compiled code inside the browser. It’s like running C, C++, or Rust on the web with near-native performance. For bug bounty hunters, it’s often used to hide or optimize logic that might be interesting to reverse or exploit.
1.2 What is WebAssembly?
It is:
-
A compact binary format (
.wasm) -
Meant to run alongside JavaScript in the browser
-
Portable and secure, designed to execute in a sandboxed environment
-
Supported by all modern browsers (Chrome, Firefox, Safari, Edge)
It is not:
-
A replacement for JavaScript (yet)
-
Easy to read or write manually
-
Designed for dynamic runtime logic like JS
1.2.1 Resources
https://developer.mozilla.org/en-US/docs/WebAssembly/Guides/Concepts
https://developer.mozilla.org/en-US/docs/WebAssembly
https://webassembly.org/getting-started/developers-guide/
https://www.reddit.com/r/webdev/comments/lg270e/how_can_one_get_started_with_wasm_webassembly/?rdt=47335
https://devopscurry.medium.com/a-beginners-guide-to-webassembly-wasm-bf206293af78
https://wasmbyexample.dev/home.en-us.html
https://evilmartians.com/chronicles/hands-on-webassembly-try-the-basics
https://wasmbyexample.dev/examples/hello-world/hello-world.assemblyscript.en-us
https://www.unknowncheats.me/forum/general-programming-and-reversing/676216-beginners-guide-web-assemblies-wasm.html
https://www.unknowncheats.me/forum/general-programming-and-reversing/603157-web-assembly-wasm-reversing.html
https://www.unknowncheats.me/forum/general-programming-and-reversing/622823-node-module-napi-trying-patch-hook-functions-webassembly-game.html
https://www.unknowncheats.me/forum/general-programming-and-reversing/622823-node-module-napi-trying-patch-hook-functions-webassembly-game.html
1.3 Why Do Developers Use WebAssembly?
| Use Case | Purpose |
|---|---|
| Cryptographic operations | For speed and safety with hashes or keys |
| Game engines / 3D | High-performance rendering and interaction |
| Compression / codecs | Fast processing of files and streams |
| PDF / CAD / AI tools | Porting complex native libraries to browser |
| Security logic | Attempt to hide business logic from users |
1.4 How Is WebAssembly Used on the Web?
WebAssembly is typically loaded using JavaScript. Here’s a common example:
fetch('module.wasm')
.then(response => response.arrayBuffer())
.then(buffer => WebAssembly.instantiate(buffer, { env: {} }))
.then(wasmModule => {
wasmModule.instance.exports.doSomething();
});
-
The
.wasmfile is fetched like any static file. -
It is instantiated with an optional import object.
-
Functions can then be called from JS.
1.5 WebAssembly for Bug Bounty Hunting
For bug bounty hunters, .wasm files are juicy targets because they might:
-
Include business logic previously hidden in JavaScript
-
Perform client-side validation checks (PIN, passwords, signatures)
-
Contain hardcoded secrets or keys
-
Perform crypto or encoding tasks that are normally obfuscated
What to look for:
-
Functions like
validate,encrypt,verify -
Constants, strings, base64 blobs
-
Memory manipulations or manual encoding
-
Exposed exports you can call or abuse
1.6 Security Perspective
WebAssembly is safe in the sense that:
-
It runs in the browser’s sandbox
-
It cannot access your filesystem or OS
But from a security research standpoint:
-
.wasmcan be decompiled (e.g. to.wat) -
Logic can be patched, recompiled, and tested
-
Exports can be directly called or fuzzed
-
Vulnerabilities in the logic can be exploited
Tools and hacking steps