Jsfuzz is a coverage-guided fuzzer for javascript node.js packages developped by Fuzzit. The typical bugs found by jsfuzz are unhandled exceptions, logic bugs, Denial-of-Service (DoS) caused by hangs and excessive memory usage (OOM).

Jsfuzz is both user-friendly and efficient, especially when fuzzing parsing libraries. You will only need to implement the following function to start fuzzing your target. All the fuzzing/mutation logic, coverage collection and crash detection will be handle by jsfuzz.

webassemblyjs is a set of 22 dedicated packages for WebAssembly module manipulation. Most of them are really popular npm package with more than 6 millions weekly downloads each, like those ones:

• @webassemblyjs/ast: AST utils for webassemblyjs
• @webassemblyjs/wasm-parser: WebAssembly binary format parser
• @webassemblyjs/wast-parser: WebAssembly text format parser

I decided to target @webassemblyjs/wasm-parser because the API is really simple and also because I think jsfuzz mutation algorithm will be more efficient on binary file.

The process to setup a fuzz target script with jsfuzz is extremely simple. The first step is to create a corpus of valid WebAssembly module like the ones on Mozilla github repository: MDN webassembly-examples.

Then, run the fuzzer with the following command:

jsfuzz fuzz-wasm-parser.js corpus-wasm

You should immediately trigger some valid error/exception and you will need to customized the fuzz target to catch and ignored them like in the following code (available here).

Once most common exceptions are handled using try/catch, jsfuzz will start to generate fuzzing status logs and eventually crash like the following picture.

This bug is triggered really quickly (less than a minute) by the fuzzer with my wasm module corpus.

I quickly minimized the crashing buffer, create a reproducer JS file and directly open an issue on webassemblyjs github repository.