Integer Overflow (Web Applications)
Reading time: 5 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Ukurasa huu unaelezea jinsi ambapo integer overflows/truncations zinaweza kutumiwa katika web applications na browsers. Kwa exploitation primitives ndani ya native binaries unaweza endelea kusoma ukurasa maalum:
{{#ref}}
../../binary-exploitation/integer-overflow-and-underflow.md {{#endref}}
1. Why integer math still matters on the web
Licha ya kwamba sehemu kubwa ya business-logic katika modern stacks imeandikwa kwa lugha za memory-safe, runtime inayofanya kazi chini yake (au third-party libraries) hatimaye imeimplemented katika C/C++. Wakati wowote nambari zinazoathiriwa na user zinapotumika kugawa buffers, kuhesabu offsets, au kufanya ukaguzi wa urefu, wrap-around ya 32-bit au 64-bit inaweza kubadilisha parameter inayotarajiwa kuwa isiyo hatari kuwa out-of-bounds read/write, logic bypass au DoS.
Typical attack surface:
- Numeric request parameters β classic id, offset, or count fields.
- Length / size headers β Content-Length, WebSocket frame length, HTTP/2 continuation_len, etc.
- File-format metadata parsed server-side or client-side β image dimensions, chunk sizes, font tables.
- Language-level conversions β signedβunsigned casts in PHP/Go/Rust FFI, JS Number β int32 truncations inside V8.
- Authentication & business logic β coupon value, price, or balance calculations that silently overflow.
2. Recent real-world vulnerabilities (2023-2025)
Mwaka | Komponenti | Sababu kuu | Athari |
---|---|---|---|
2023 | libwebp β CVE-2023-4863 | 32-bit multiplication overflow when computing decoded pixel size | Ilisababisha Chrome 0-day (BLASTPASS on iOS), ikaruhusu remote code execution ndani ya renderer sandbox. |
2024 | V8 β CVE-2024-0519 | Truncation to 32-bit when growing a JSArray leads to OOB write on the backing store | Remote code execution baada ya kutembelea mara moja. |
2025 | Apollo GraphQL Server (unreleased patch) | 32-bit signed integer used for first/last pagination args; negative values wrap to huge positives | Logic bypass & memory exhaustion (DoS). |
3. Testing strategy
3.1 Boundary-value cheat-sheet
Tuma extreme signed/unsigned values kila mahali ambapo integer inatarajiwa:
-1, 0, 1,
127, 128, 255, 256,
32767, 32768, 65535, 65536,
2147483647, 2147483648, 4294967295,
9223372036854775807, 9223372036854775808,
0x7fffffff, 0x80000000, 0xffffffff
Mifomato mingine muhimu:
- Hex (0x100), octal (0377), scientific (1e10), JSON big-int (9999999999999999999).
- Mfuatano mrefu sana wa tarakimu (>1kB) ili kugonga custom parsers.
3.2 Kiolezo cha Burp Intruder
Β§INTEGERΒ§
Payload type: Numbers
From: -10 To: 4294967300 Step: 1
Pad to length: 10, Enable hex prefix 0x
3.3 Fuzzing libraries & runtimes
- AFL++/Honggfuzz pamoja na libFuzzer harness karibu na parser (kwa mfano, WebP, PNG, protobuf).
- Fuzzilli β grammar-aware fuzzing ya JavaScript engines ili kugonga V8/JSC integer truncations.
- boofuzz β network-protocol fuzzing (WebSocket, HTTP/2) ikilenga length fields.
4. Exploitation patterns
4.1 Logic bypass katika server-side code (mfano wa PHP)
$price = (int)$_POST['price']; // expecting cents (0-10000)
$total = $price * 100; // β 32-bit overflow possible
if($total > 1000000){
die('Too expensive');
}
/* Sending price=21474850 β $total wraps to β2147483648 and check is bypassed */
4.2 Heap overflow via image decoder (libwebp 0-day)
WebP lossless decoder ilizidisha image width Γ height Γ 4 (RGBA) ndani ya 32-bit int. Faili iliyotengenezwa kwa vipimo 16384 Γ 16384 iliresulta overflows kwenye multiplication, allocates short buffer na baadaye ikaandika ~1GB ya decompressed data past the heap β ikisababisha RCE katika every Chromium-based browser kabla ya 116.0.5845.187.
4.3 Browser-based XSS/RCE chain
- Integer overflow in V8 gives arbitrary read/write.
- Escape the sandbox with a second bug or call native APIs to drop a payload.
- The payload then injects a malicious script into the origin context β stored XSS.
5. Defensive guidelines
- Use wide types or checked math β e.g., size_t, Rust checked_add, Go math/bits.Add64.
- Validate ranges early: kataa thamani yoyote nje ya business domain kabla ya arithmetic.
- Enable compiler sanitizers: -fsanitize=integer, UBSan, Go race detector.
- Adopt fuzzing in CI/CD β waunganishe coverage feedback na boundary corpora.
- Stay patched β browser integer overflow bugs mara nyingi zinatumiwa ndani ya wiki.
References
- NVD CVE-2023-4863 β libwebp Heap Buffer Overflow
- Google Project Zero β "Understanding V8 CVE-2024-0519"
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.