This study addresses the security risks arising from binary-level vulnerabilities—such as buffer overflows and use-after-free—in WebAssembly (WASM) modules, demonstrating how they can be exploited to manifest as high-level web vulnerabilities including SQL injection, XS-Leaks, and server-side template injection (SSTI), thereby evading existing web defense mechanisms. It is the first to systematically uncover the mapping relationship between low-level WASM binary flaws and web-layer security issues, filling a critical gap in the understanding of this threat surface. Through comprehensive vulnerability analysis, attack scenario modeling, and evaluation of current defenses, the work proposes targeted mitigation strategies and development best practices, offering both theoretical foundations and practical guidance for building more secure WASM applications.

The growth in the adoption of the WebAssembly (WASM) standard has given rise to a rapidly increasing landscape of binary applications that are natively ported to the environment of websites. The flexibility of WASM has made it the preferred way to run fast and resource-heavy applications, replacing a field that JavaScript previously monopolized. Despite its success, researchers have raised concerns over the security implementations of WASM, demonstrating that binary vulnerabilities, such as Buffer Overflows and Use After Free, remain a present danger for WASM binaries. Our work aims to demonstrate that such vulnerabilities, when occurring on a WebAssembly module, can affect the behavior of a web application in unexpected ways, enabling an attacker to exploit vulnerabilities that are typical of the web security landscape. We provide several scenarios to provide examples of how each binary vulnerability might lead to a web security vulnerability, such as SQL Injections, XS-Leaks, and SSTI. Our results show that binary vulnerabilities can invalidate common security mechanisms that web developer implement in their applications, demonstrating how the security of WASM modules remains a problem that needs to be addressed. We also provide a list of best practices and defensive strategies that developers can implement to mitigate the risks associated with running unsafe WASM modules in their web applications.