Can WebASM provide JavaScript style interactivity without the same vulnerabilities?

JavaScript is useful for interactivity. However, it is often disabled by security conscious browsers, such as the Tor Browser Bundle, and blocked with plugins such as NoScript.
I was wondering if it was possible for WebASM to provide JavaS… Continue reading Can WebASM provide JavaScript style interactivity without the same vulnerabilities?

How secure is it to implement most of the applications functionality using WASM on the client side/ in the browser?

I understand that nothing is perfectly secured.
If we have a web app where most of the functionality is done inside the browser using WASM, can someone get the binary of that WASM and use most of its functionality?
What do we need to pay a… Continue reading How secure is it to implement most of the applications functionality using WASM on the client side/ in the browser?

Rust WASM’s web_sys add_event_listener_with_callback "callback" is actually an eval() function under the hood. Isn’t this dangerous?

Rust WASM’s web_sys add_event_listener_with_callback "callback" is actually an eval() function under the hood. Isn’t this dangerous? if so, how?
Here is a link to js_sys function, which describes the use of eval (to bind to any … Continue reading Rust WASM’s web_sys add_event_listener_with_callback "callback" is actually an eval() function under the hood. Isn’t this dangerous?

securing webassembly/WasmEdge – any 0-day exploits so far and devsecops pipeline targetted at webassembly?

I am looking to deploy webassembly at scale in production. Before I do so, like to know if there are any 0-day exploits so far and if there are devsecops tools pipeline specifically targetted at webassembly?

Continue reading securing webassembly/WasmEdge – any 0-day exploits so far and devsecops pipeline targetted at webassembly?

A runtime sometimes converts string arguments (or string returns) from WTF-16 to UTF-16 between functions in a call stack. Is this a security concern?

Suppose that we have this code (in TypeScript syntax):
function one(str: string): string {
// do something with the string
return str
}

function two() {
let s = getSomeString() // returns some unknown string that may contain surroga… Continue reading A runtime sometimes converts string arguments (or string returns) from WTF-16 to UTF-16 between functions in a call stack. Is this a security concern?