blackhat usa 2022 wasm fuzzing patrick ventuzelo fuzzinglabs webassembly
| | | | |

A Journey Into Fuzzing WebAssembly Virtual Machines [BlackHat USA 2022]

A Journey Into Fuzzing WebAssembly Virtual Machines [BlackHat USA 2022] Abstract Since the MVP release in 2017, WebAssembly evolve gradually, bringing new adepts and new VM implementations over time. It’s now possible to run WebAssembly modules over every modern browser, in some blockchain, or using a standalone VM. In the same way that multiple JavaScript…

v8 javascript d8 chrome JS dharma grammar fuzzing fuzz testing domato freedom
| | |

Introduction to V8 JavaScript Engine Grammar-based Fuzzing

Introduction to V8 JavaScript Engine Grammar-based Fuzzing with Dharma In this short hands-on workshop, we will attack the V8 JavaScript Engine using grammar-based fuzzing. First, I will show how to download a version of V8 already compiled with addressSanitizer (ASAN). Then, I will introduce how to write a Dharma grammar and finally, we will use…

wasm webassembly browser emscripten solana wasm-pack wasm-bindgen near ewasm wasmer wasmtime
| |

Top 7 books to learn WebAssembly in 2022

Top 7 books to learn WebAssembly in 2022 Today, I discuss my favorite books if you are looking to learn more about WebAssembly and wasm security. Learn WebAssembly – link WebAssembly in Action – link What Is WebAssembly? – link The Art of WebAssembly – link WebAssembly: The Definitive Guide – link Programming WebAssembly with…

fuzzing firefox browser in-process fuzz testing frida hook browser books security
|

Top 4 books to learn Web Browser Security in 2022

Top 4 books to learn Web Browser Security in 2022 Today, I discuss my favorite books if you are looking to learn more about Web Browser internals and Browser security. The Tangled Web – link High-Performance Browser Networking – link / online The Browser Hacker’s Handbook – link The Google Chrome Comic – link https://youtu.be/UTLFkKnAsiA…

fuzzing chrome browser fuzz testing dom grammar based fuzzing freedom dharma firefox
| |

Fuzzing Browsers DOM using FreeDom grammar-based fuzzer

Fuzzing Browsers DOM using FreeDom grammar-based fuzzer In this video, I will first explain how to download Chrome ASAN build. Then, I’ll detail what is DOM (Document Object Model) and how it is used by web browsers. I’ll use the FreeDom grammar-based fuzzer to generate some HTML files and create a simple script to process…

fuzzing firefox browser in-process fuzz testing frida hook
| |

Fuzzing Firefox using In-process Fuzzing with Frida

Fuzzing Firefox using In-process Fuzzing with Frida As asked by a lot of you, today’s blogpost is about browser security. First I will show how to download easily Firefox compiled with AddressSanitizer (ASAN). Then, I will show how to use Frida to list all modules and exports of Firefox. I will show some other interesting…

dharma wasm fuzzing webassembly training security
|

Fuzzing JavaScript WebAssembly APIs using Dharma/Domato (Chrome/v8)

Fuzzing JavaScript WebAssembly APIs using Dharma/Domato (V8 engine) First of all, Happy new hacking year everyone 😉 I got asked multiple time if fuzzing WebAssembly APIs of Javascript engines is complicated, so here is a short tutorial using Dharma (but you can use Domato if you prefer). In this blogpost, I will first detailed which WebAssembly…

polyglot html js webassembly wasm module security patrick ventuzelo training
|

How to create a valid polyglot HTML/JS/WebAssembly module

How to create polyglot HTML/JS/WebAssembly module Just a bit of context first, so last month I was at the hack.lu conference to give a workshop about “Reversing WebAssembly module 101” and spend some amazing time with friends. Workshop goes well, attendees were really interested and even better I received the award of the best talk/workshop…

google keep wasm webassembly module patrick ventuzelo security analysis ink Sketchology protobuf webgl
|

Analysis of Google Keep WebAssembly module

Analysis of Google Keep WebAssembly module Last month, i was at REcon Montreal to give my training about WebAssembly Security and after some discussion people always ask me this question: Is WebAssembly already used in the wild? The answer is of course YES and some WebAssembly modules are potentially running right now in your browser…