The growth in the adoption of the WebAssembly (WASM) standard has given rise to a rapidly increasing landscape of binary applications that are natively ported to the environment of websites. The flexibility of WASM has made it the preferred way to run fast and resource-heavy applications, replacing a field that JavaScript previously monopolized. Despite its success, researchers have raised concerns over the security implementations of WASM, demonstrating that binary vulnerabilities, such as Buffer Overflows and Use After Free, remain a present danger for WASM binaries. Our work aims to demonstrate that such vulnerabilities, when occurring on a WebAssembly module, can affect the behavior of a web application in unexpected ways, enabling an attacker to exploit vulnerabilities that are typical of the web security landscape. We provide several scenarios to provide examples of how each binary vulnerability might lead to a web security vulnerability, such as SQL Injections, XS-Leaks, and SSTI. Our results show that binary vulnerabilities can invalidate common security mechanisms that web developer implement in their applications, demonstrating how the security of WASM modules remains a problem that needs to be addressed. We also provide a list of best practices and defensive strategies that developers can implement to mitigate the risks associated with running unsafe WASM modules in their web applications.

翻译：WebAssembly（WASM）标准的广泛采用催生了大量可原生移植至网站环境的二进制应用程序的快速增长。WASM的灵活性使其成为运行快速且资源密集型应用的首选方式，取代了以往由JavaScript垄断的领域。尽管取得了成功，研究人员对WASM的安全实现提出了担忧，并证明缓冲区溢出和释放后使用等二进制漏洞仍然是WASM二进制文件面临的现实威胁。我们的工作旨在证明，当此类漏洞出现在WebAssembly模块中时，可能以意外方式影响Web应用程序的行为，使攻击者能够利用典型的Web安全漏洞。我们提供了若干场景，举例说明每种二进制漏洞如何导致SQL注入、XS-Leaks和SSTI等Web安全漏洞。研究结果表明，二进制漏洞可能使Web开发人员在应用程序中实施的常见安全机制失效，这证明了WASM模块的安全性问题仍需解决。我们还提供了一系列最佳实践和防御策略，开发人员可通过实施这些措施来降低在其Web应用程序中运行不安全WASM模块所带来的风险。