Integer Overflow (Web Applications)

Reading time: 5 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Ukurasa huu unaelezea jinsi ambapo integer overflows/truncations zinaweza kutumiwa katika web applications na browsers. Kwa exploitation primitives ndani ya native binaries unaweza endelea kusoma ukurasa maalum:

{{#ref}}

../../binary-exploitation/integer-overflow-and-underflow.md {{#endref}}


1. Why integer math still matters on the web

Licha ya kwamba sehemu kubwa ya business-logic katika modern stacks imeandikwa kwa lugha za memory-safe, runtime inayofanya kazi chini yake (au third-party libraries) hatimaye imeimplemented katika C/C++. Wakati wowote nambari zinazoathiriwa na user zinapotumika kugawa buffers, kuhesabu offsets, au kufanya ukaguzi wa urefu, wrap-around ya 32-bit au 64-bit inaweza kubadilisha parameter inayotarajiwa kuwa isiyo hatari kuwa out-of-bounds read/write, logic bypass au DoS.

Typical attack surface:

  1. Numeric request parameters – classic id, offset, or count fields.
  2. Length / size headers – Content-Length, WebSocket frame length, HTTP/2 continuation_len, etc.
  3. File-format metadata parsed server-side or client-side – image dimensions, chunk sizes, font tables.
  4. Language-level conversions – signed↔unsigned casts in PHP/Go/Rust FFI, JS Number β†’ int32 truncations inside V8.
  5. Authentication & business logic – coupon value, price, or balance calculations that silently overflow.

2. Recent real-world vulnerabilities (2023-2025)

MwakaKomponentiSababu kuuAthari
2023libwebp – CVE-2023-486332-bit multiplication overflow when computing decoded pixel sizeIlisababisha Chrome 0-day (BLASTPASS on iOS), ikaruhusu remote code execution ndani ya renderer sandbox.
2024V8 – CVE-2024-0519Truncation to 32-bit when growing a JSArray leads to OOB write on the backing storeRemote code execution baada ya kutembelea mara moja.
2025Apollo GraphQL Server (unreleased patch)32-bit signed integer used for first/last pagination args; negative values wrap to huge positivesLogic bypass & memory exhaustion (DoS).

3. Testing strategy

3.1 Boundary-value cheat-sheet

Tuma extreme signed/unsigned values kila mahali ambapo integer inatarajiwa:

-1, 0, 1,
127, 128, 255, 256,
32767, 32768, 65535, 65536,
2147483647, 2147483648, 4294967295,
9223372036854775807, 9223372036854775808,
0x7fffffff, 0x80000000, 0xffffffff

Mifomato mingine muhimu:

  • Hex (0x100), octal (0377), scientific (1e10), JSON big-int (9999999999999999999).
  • Mfuatano mrefu sana wa tarakimu (>1kB) ili kugonga custom parsers.

3.2 Kiolezo cha Burp Intruder

Β§INTEGERΒ§
Payload type: Numbers
From: -10 To: 4294967300 Step: 1
Pad to length: 10, Enable hex prefix 0x

3.3 Fuzzing libraries & runtimes

  • AFL++/Honggfuzz pamoja na libFuzzer harness karibu na parser (kwa mfano, WebP, PNG, protobuf).
  • Fuzzilli – grammar-aware fuzzing ya JavaScript engines ili kugonga V8/JSC integer truncations.
  • boofuzz – network-protocol fuzzing (WebSocket, HTTP/2) ikilenga length fields.

4. Exploitation patterns

4.1 Logic bypass katika server-side code (mfano wa PHP)

php
$price = (int)$_POST['price'];          // expecting cents (0-10000)
$total = $price * 100;                  // ← 32-bit overflow possible
if($total > 1000000){
die('Too expensive');
}
/* Sending price=21474850 β†’ $total wraps to ‑2147483648 and check is bypassed */

4.2 Heap overflow via image decoder (libwebp 0-day)

WebP lossless decoder ilizidisha image width Γ— height Γ— 4 (RGBA) ndani ya 32-bit int. Faili iliyotengenezwa kwa vipimo 16384 Γ— 16384 iliresulta overflows kwenye multiplication, allocates short buffer na baadaye ikaandika ~1GB ya decompressed data past the heap – ikisababisha RCE katika every Chromium-based browser kabla ya 116.0.5845.187.

4.3 Browser-based XSS/RCE chain

  1. Integer overflow in V8 gives arbitrary read/write.
  2. Escape the sandbox with a second bug or call native APIs to drop a payload.
  3. The payload then injects a malicious script into the origin context β†’ stored XSS.

5. Defensive guidelines

  1. Use wide types or checked math – e.g., size_t, Rust checked_add, Go math/bits.Add64.
  2. Validate ranges early: kataa thamani yoyote nje ya business domain kabla ya arithmetic.
  3. Enable compiler sanitizers: -fsanitize=integer, UBSan, Go race detector.
  4. Adopt fuzzing in CI/CD – waunganishe coverage feedback na boundary corpora.
  5. Stay patched – browser integer overflow bugs mara nyingi zinatumiwa ndani ya wiki.

References

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks