Integer Overflow (Web Applications)

Reading time: 5 minutes

tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

Hierdie bladsy fokus op hoe integer overflows/truncations can be abused in web applications and browsers. Vir exploitation primitives binne native binaries kan jy voortgaan om die toegewyde bladsy te lees:

{{#ref}}

../../binary-exploitation/integer-overflow-and-underflow.md {{#endref}}


1. Why integer math still matters on the web

Alhoewel die meeste business-logic in moderne stacks in memory-safe tale geskryf is, is die onderliggende runtime (of derdeparty-biblioteke) uiteindelik in C/C++ geïmplementeer. Wanneer gebruiker-gekontroleerde getalle gebruik word om buffers toe te ken, offsets te bereken of lengtekontroles uit te voer, kan 'n 32-bit of 64-bit wrap-around 'n skynbaar onskadelike parameter omskakel in 'n out-of-bounds lees/skryf, 'n logika-omseiling of 'n DoS.

Tipiese aanvalsoppervlakte:

  1. Numeric request parameters – klassieke id-, offset- of count-velde.
  2. Length / size headers – Content-Length, WebSocket frame length, HTTP/2 continuation_len, ens.
  3. File-format metadata parsed server-side or client-side – beeldafmetings, chunk-groottes, lettertipe-tabelle.
  4. Language-level conversions – signed↔unsigned casts in PHP/Go/Rust FFI, JS Number → int32 truncations inside V8.
  5. Authentication & business logic – couponwaarde, prys- of balansberekeninge wat stilweg oorloop.

2. Recent real-world vulnerabilities (2023-2025)

YearComponentRoot causeImpact
2023libwebp – CVE-2023-486332-bit multiplication overflow when computing decoded pixel sizeHet 'n Chrome 0-day (BLASTPASS on iOS) veroorsaak, het remote code execution binne die renderer-sandbox toegelaat.
2024V8 – CVE-2024-0519Truncation to 32-bit when growing a JSArray leads to OOB write on the backing storeRemote code execution na 'n enkele besoek.
2025Apollo GraphQL Server (unreleased patch)32-bit signed integer used for first/last pagination args; negative values wrap to huge positivesLogika-omseiling & geheue-uitsakking (DoS).

3. Testing strategy

3.1 Boundary-value cheat-sheet

Send extreme signed/unsigned values wherever an integer is expected:

-1, 0, 1,
127, 128, 255, 256,
32767, 32768, 65535, 65536,
2147483647, 2147483648, 4294967295,
9223372036854775807, 9223372036854775808,
0x7fffffff, 0x80000000, 0xffffffff

Ander nuttige formate:

  • Hex (0x100), octal (0377), scientific (1e10), JSON big-int (9999999999999999999).
  • Baie lang syferreekse (>1kB) om custom parsers te tref.

3.2 Burp Intruder-sjabloon

§INTEGER§
Payload type: Numbers
From: -10 To: 4294967300 Step: 1
Pad to length: 10, Enable hex prefix 0x

3.3 Fuzzing libraries & runtimes

  • AFL++/Honggfuzz met 'n libFuzzer-harnas rondom die parser (bv. WebP, PNG, protobuf).
  • Fuzzilli – grammatika-bewuste fuzzing van JavaScript-enjins om V8/JSC heelgetal-afkappinge te tref.
  • boofuzz – netwerk-protokol fuzzing (WebSocket, HTTP/2) wat fokus op lengtevelde.

4. Eksploitasiepatrone

4.1 Logika-omseiling in bedienerkant-kode (PHP-voorbeeld)

php
$price = (int)$_POST['price'];          // expecting cents (0-10000)
$total = $price * 100;                  // ← 32-bit overflow possible
if($total > 1000000){
die('Too expensive');
}
/* Sending price=21474850 → $total wraps to ‑2147483648 and check is bypassed */

4.2 Heap overflow via image decoder (libwebp 0-day)

Die WebP lossless decoder het image width × height × 4 (RGBA) binne 'n 32-bit int vermenigvuldig. 'n Gemaakte lêer met dimensies 16384 × 16384 oorloop die vermenigvuldiging, ken 'n te klein buffer toe en skryf vervolgens ~1GB gedekomprimeerde data verby die heap – wat lei tot RCE in elke Chromium-based browser voor 116.0.5845.187.

4.3 Blaaier-gebaseerde XSS/RCE-ketting

  1. Integer overflow in V8 gee arbitrêre read/write.
  2. Ontsnap uit die sandbox met 'n tweede bug of roep native APIs aan om 'n payload te plaas.
  3. Die payload injecteer dan 'n kwaadwillige script in die origin context → stored XSS.

5. Verdedigingsriglyne

  1. Use wide types or checked math – bv., size_t, Rust checked_add, Go math/bits.Add64.
  2. Validate ranges early: verwerp enige waarde buite die besigheidsdomein voor aritmetika.
  3. Enable compiler sanitizers: -fsanitize=integer, UBSan, Go race detector.
  4. Adopt fuzzing in CI/CD – kombineer coverage feedback met boundary corpora.
  5. Stay patched – browser integer overflow bugs word dikwels binne weke weaponised.

References

tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks