HackTricksInteger Overflow (Web Applications)
Tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
This page focuses on how integer overflows/truncations can be abused in web applications and browsers. For exploitation primitives inside native binaries you can continue reading the dedicated page:
{{#ref}}
../../binary-exploitation/integer-overflow-and-underflow.md {{#endref}}
1. Why integer math still matters on the web
Even though most business-logic in modern stacks is written in memory-safe languages, the underlying runtime (or third-party libraries) is eventually implemented in C/C++. Whenever user-controlled numbers are used to allocate buffers, compute offsets, or perform length checks, a 32-bit or 64-bit wrap-around may transform an apparently harmless parameter into an out-of-bounds read/write, a logic bypass or a DoS.
Typical attack surface:
- Numeric request parameters – classic
id,offset, orcountfields. - Length / size headers –
Content-Length, WebSocket frame length, HTTP/2continuation_len, etc. - File-format metadata parsed server-side or client-side – image dimensions, chunk sizes, font tables.
- Language-level conversions – signed↔unsigned casts in PHP/Go/Rust FFI, JS
Number→int32truncations inside V8. - Authentication & business logic – coupon value, price, or balance calculations that silently overflow.
2. Recent real-world vulnerabilities (2023-2025)
| Year | Component | Root cause | Impact |
|---|---|---|---|
| 2023 | libwebp – CVE-2023-4863 | 32-bit multiplication overflow when computing decoded pixel size | Triggered a Chrome 0-day (BLASTPASS on iOS), allowed remote code execution inside the renderer sandbox. |
| 2024 | V8 – CVE-2024-0519 | Truncation to 32-bit when growing a JSArray leads to OOB write on the backing store | Remote code execution after a single visit. |
| 2025 | Apollo GraphQL Server (unreleased patch) | 32-bit signed integer used for first/last pagination args; negative values wrap to huge positives | Logic bypass & memory exhaustion (DoS). |
3. Testing strategy
3.1 Boundary-value cheat-sheet
Send extreme signed/unsigned values wherever an integer is expected:
-1, 0, 1,
127, 128, 255, 256,
32767, 32768, 65535, 65536,
2147483647, 2147483648, 4294967295,
9223372036854775807, 9223372036854775808,
0x7fffffff, 0x80000000, 0xffffffff
Other useful formats:
- Hex (
0x100), octal (0377), scientific (1e10), JSON big-int (9999999999999999999). - Very long digit strings (>1kB) to hit custom parsers.
3.2 Burp Intruder template
§INTEGER§
Payload type: Numbers
From: -10 To: 4294967300 Step: 1
Pad to length: 10, Enable hex prefix 0x
3.3 Fuzzing libraries & runtimes
- AFL++/Honggfuzz with
libFuzzerharness around the parser (e.g., WebP, PNG, protobuf). - Fuzzilli – grammar-aware fuzzing of JavaScript engines to hit V8/JSC integer truncations.
- boofuzz – network-protocol fuzzing (WebSocket, HTTP/2) focusing on length fields.
4. Exploitation patterns
4.1 Logic bypass in server-side code (PHP example)
$price = (int)$_POST['price']; // expecting cents (0-10000)
$total = $price * 100; // ← 32-bit overflow possible
if($total > 1000000){
die('Too expensive');
}
/* Sending price=21474850 → $total wraps to ‑2147483648 and check is bypassed */
4.2 Heap overflow via image decoder (libwebp 0-day)
The WebP lossless decoder multiplied image width × height × 4 (RGBA) inside a 32-bit int. A crafted file with dimensions 16384 × 16384 overflows the multiplication, allocates a short buffer and subsequently writes ~1GB of decompressed data past the heap – leading to RCE in every Chromium-based browser before 116.0.5845.187.
4.3 Browser-based XSS/RCE chain
- Integer overflow in V8 gives arbitrary read/write.
- Escape the sandbox with a second bug or call native APIs to drop a payload.
- The payload then injects a malicious script into the origin context → stored XSS.
5. Defensive guidelines
- Use wide types or checked math – e.g.,
size_t, Rustchecked_add, Gomath/bits.Add64. - Validate ranges early: reject any value outside business domain before arithmetic.
- Enable compiler sanitizers:
-fsanitize=integer, UBSan, Go race detector. - Adopt fuzzing in CI/CD – combine coverage feedback with boundary corpora.
- Stay patched – browser integer overflow bugs are frequently weaponised within weeks.
References
- NVD CVE-2023-4863 – libwebp Heap Buffer Overflow
- Google Project Zero – “Understanding V8 CVE-2024-0519”
Tip
Learn & practice AWS Hacking:
Learn & practice GCP Hacking:
Learn & practice Az Hacking:Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.