SensePost is SecureData’s independent elite consulting arm, renowned for its expertise, 19 year track record and innovation on the frontlines of cybersecurity.

With team members that include some of the world’s most preeminent cybersecurity experts, SensePost has helped governments and blue-chip companies both review and protect their information security and stay ahead of evolving threats.

SensePost is also a prolific publisher of leading research articles and tools on cybersecurity which are widely recognised and used throughout the industry and feature regularly at industry conferences including BlackHat and DefCon.


  • Authors: Saif El-Sherei & Etienne Stalmans
  • Cost: Free
  • Source Code:
  • License: 1.0
  • License: GPL
  • Release date: 2015-09-23

Wadi is web browser grammar-based fuzzer. Grammars are used to describe how browsers should process web content, Wadi turns that around and uses grammars to break browsers.

Wadi is a Fuzzing module to use with NodeFuzz fuzzing Harness and utilizes AddressSanitizer(ASan) for instrumentation on Linux and Mac OSX.

Understanding Wadi

Wadi works on created Fuzzer Grammar to generate valid JavaScript statements into an array. It then uses these JavaScript statements to create a valid HTML documents.

Using Wadi

Running Wadi is relatively simple:

  • Perform a git clone from our Wadi Github page
  • After installing NodeFuzz and downloading the ASan version of FireFox or Chrome, place the “WADI-Module.js” and “randoms.js” files in the modules directory
  • Replace the “config.js” in the root NodeFuzz Directory with the modified one.
  • run using #node nodefuzz.js -m ./modules/Git/WADI-Module.js -c ./config.js chrome

Wadi In Action

The following video shows how Wadi can be run. If you have any questions about using Wadi, drop us a mail