A web assembly (WASM) phishing lure generator based on pre-built templates and written in Rust with some GenAI assistance. W.A.L.K. aims at aiding with initial access during red teams and phishing exercises leveraging WASM smuggling techniques.
W.A.L.K. - Web Assembly Lure Krafter
A web assembly (WASM) lure generator based on custom lure templates and written in Rust to aid with initial access leveraging WASM smuggling techniques.
Table of Contents
- Install Rust - Installwasm-pack and wasm-bindgen-cli
- Clone, Build and Run W.A.L.K.
- Google Chrome Update
- One Drive File Download
- Sample
What, Why?
This is the tool I developed off the back of the recent research I’ve done into crafting web smuggling lures using web assembly. You can read the accompanying blogpost "WASM Smuggling for Initial Access and W.A.L.K. Tool Release" on JUMPSEC Labs.
Setup
Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source the corresponding env file under $HOME/.cargo
. "$HOME/.cargo/env"
Install wasm-pack and wasm-bindgen-cli
cargo install -f wasm-pack wasm-bindgen-cli
add cargo to path
zshrc
echo 'export PATH=$HOME/.cargo/bin:$PATH' >> ~/.zshrc
bashrc
echo 'export PATH=$HOME/.cargo/bin:$PATH' >> ~/.bashrc
🚧 For Arch / Manjaro users>
Install base-devel dependency first
sudo pacman -Syu && sudo pacman -S base-devel
Open New Terminal or use Source command to enable wasm-pack binary path
# replace with zshrc if you are using zsh
source ~/.bashrc
Clone, Build and Run W.A.L.K.
git clone https://github.com/JumpsecLabs/WALKWebAssemblyLure_Krafter.git
cd WALKWebAssemblyLure_Krafter
From the project's root folder run:
cargo run
Use
The Web Assembly Lure Krafter is quite straightforward to use. Just execute cargo run from the project’s folder. The tool will ask you to select a lure to generate.
- Select the lure to generate.
- Enter the payload’s extension. This can be anything but should match the extension of your payload.
- Enter the absolute file path of the payload to smuggle.
- Enter the payload name (without the extension at the end).
results/ directory, presenting a timestamp and a random string in the name. The generated lure will consist in a single index.html file stored in its timestamped sub-directory contained in results/. The index.html is the only file you will need as it contains the Web Assembly lure and the payload embedded within it.

Lure Templates
W.A.L.K. comes pre-packed with some lures, namely:
- Google Chrome Update
- One Drive File Download
- Sample
Google Chrome Update
This lure was designed to simulate a Google Chrome browser update request from an I.T. department. The payload download is triggered when the “Update Chrome” button is clicked.

One Drive File Download
This web assembly lure was designed to simulate a OneDrive file download. The lure presents the screen shown below and sleeps for 4 seconds before automatically downloading the payload.

Sample
It’s just a sample web page with no contents that automatically downloads the payloads you embedded in it.
Modularity
W.A.L.K. was designed to be modular and be able to create new lures based on template files located in luretemplates/ . By adding more lures in the luretemplates/ directory it is possible to then call the template from the tool’s menu by adding an entry to it in src/main.rs.
Once you add a .rs template file in lure_templates/, modify the src/main.rs file’s menu by adding an entry for the new template in fn main():
luretemplates/ directory. For example, when selecting the “Google Chrome Update” lure from the menu, W.A.L.K. will look for googlechromeupdate.rs in the lure_templates/ directory.
Credits
Many thanks to David Kennedy for beta-testing the tool.
Thanks to NETSPI’s research into WASM smuggling and their tool silkwasm: The Silk Wasm: Obfuscating HTML Smuggling with Web Assembly GitHub - NetSPI/silkwasm: HTML Smuggling with Web Assembly
A shoutout to researchers at delivr.to who have released an amazing article explaining how to build WASM lures in Rust: WebAssembly Smuggling: It WASM’t me
Disclaimer
The tools and software provided in this repository by JUMPSEC are intended for educational and lawful purposes only. JUMPSEC is in no way, shape, or form responsible for any misuse or unintended use of these tool. Users are solely responsible for ensuring that their use of the tool complies with all applicable laws and regulations.
JUMPSEC does not condone or support any activities that may cause harm, damage, or unauthorized access to systems, data, or networks. Any malicious or unauthorized use of the tools provided in this repository is strictly prohibited. Users should obtain proper authorisation before engaging in any security testing activities.
By using the tools in this repository, you acknowledge that JUMPSEC shall not be held liable for any damages, legal consequences, or other repercussions that may arise from the misuse of these tools.
License
GNU General Public License v3.0