Integer Overflow (Web Applications)

Reading time: 5 minutes

Ova stranica se fokusira na to kako integer overflows/truncations can be abused in web applications and browsers. Za exploitation primitives inside native binaries možete nastaviti čitanje posvećene stranice:

{{#ref}}

../../binary-exploitation/integer-overflow-and-underflow.md {{#endref}}

1. Why integer math still matters on the web

Iako je većina business-logic u modernim stack-ovima napisana u memory-safe jezicima, underlying runtime (ili third-party libraries) je na kraju implementiran u C/C++. Kad god se korisnički kontrolisani brojevi koriste za alokaciju buffera, računanje ofseta ili proveru dužine, a 32-bit or 64-bit wrap-around may transform an apparently harmless parameter into an out-of-bounds read/write, a logic bypass or a DoS.

Tipična površina napada:

1. Numeric request parameters – klasična id, offset ili count polja.
2. Length / size headers – Content-Length, WebSocket frame length, HTTP/2 continuation_len, itd.
3. File-format metadata parsed server-side or client-side – dimenzije slike, chunk sizes, font tables.
4. Language-level conversions – signed↔unsigned casts u PHP/Go/Rust FFI, JS Number → int32 truncations inside V8.
5. Authentication & business logic – vrednost kupona, cena ili proračuni stanja koji se tiho overflow-uju.

2. Recent real-world vulnerabilities (2023-2025)

3. Testing strategy

3.1 Boundary-value cheat-sheet

Pošaljite extreme signed/unsigned values gde god se očekuje integer:

-1, 0, 1,
127, 128, 255, 256,
32767, 32768, 65535, 65536,
2147483647, 2147483648, 4294967295,
9223372036854775807, 9223372036854775808,
0x7fffffff, 0x80000000, 0xffffffff

Ostali korisni formati:

• Hex (0x100), octal (0377), scientific (1e10), JSON big-int (9999999999999999999).
• Veoma dugački nizovi cifara (>1kB) da bi pogodili prilagođene parsere.

3.2 Burp Intruder šablon

§INTEGER§
Payload type: Numbers
From: -10 To: 4294967300 Step: 1
Pad to length: 10, Enable hex prefix 0x

3.3 Biblioteke i runtime-ovi za fuzzing

• AFL++/Honggfuzz sa libFuzzer harness-om oko parsera (npr. WebP, PNG, protobuf).
• Fuzzilli – grammar-aware fuzzing JavaScript engine-a da bi pogodio V8/JSC truncacije celobrojnih vrednosti.
• boofuzz – fuzzing mrežnih protokola (WebSocket, HTTP/2) fokusiran na polja dužine.

4. Obrasci eksploatacije

4.1 Logic bypass in server-side code (PHP primer)

$price = (int)$_POST['price'];          // expecting cents (0-10000)
$total = $price * 100;                  // ← 32-bit overflow possible
if($total > 1000000){
die('Too expensive');
}
/* Sending price=21474850 → $total wraps to ‑2147483648 and check is bypassed */

4.2 Heap overflow via image decoder (libwebp 0-day)

WebP lossless decoder je pomnožio image width × height × 4 (RGBA) unutar 32-bit int-a. Specijalno konstruisan fajl sa dimenzijama 16384 × 16384 izaziva overflow pri množenju, alocira premali buffer i potom upisuje ~1GB dekompresovanih podataka izvan heap-a – što dovodi do RCE u svim Chromium-based browserima pre 116.0.5845.187.

4.3 Browser-based XSS/RCE chain

1. Integer overflow in V8 gives arbitrary read/write.
2. Escape the sandbox with a second bug or call native APIs to drop a payload.
3. The payload then injects a malicious script into the origin context → stored XSS.

5. Odbrambene smernice

1. Use wide types or checked math – e.g., size_t, Rust checked_add, Go math/bits.Add64.
2. Validate ranges early: odbacite svaku vrednost van business domain pre aritmetike.
3. Enable compiler sanitizers: -fsanitize=integer, UBSan, Go race detector.
4. Adopt fuzzing in CI/CD – kombinuje coverage feedback sa boundary corpora.
5. Stay patched – browser integer overflow bugs se često iskorišćavaju u roku od nekoliko nedelja.

References

• NVD CVE-2023-4863 – libwebp Heap Buffer Overflow
• Google Project Zero – "Understanding V8 CVE-2024-0519"