maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1176 from HackTricks-wiki/research_update_src_pentesting-web_xss-cross-site-scripting_integer-overflow_20250723_162518

Browse Source 
Research Update Enhanced src/pentesting-web/xss-cross-site-s...
This commit is contained in:
SirBroccoli 2025-07-24 18:01:47 +02:00 committed by GitHub
commit 8cb6933fef
1 changed files with 105 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
src/pentesting-web/xss-cross-site-scripting/integer-overflow.md
View File

@ -1,14 +1,111 @@
# Integer Overflow
# Integer Overflow (Web Applications)
{{#include ../../banners/hacktricks-training.md}}
Check:
> This page focuses on how **integer overflows/truncations can be abused in web applications and browsers**. For exploitation primitives inside native binaries you can continue reading the dedicated page:
>
> {{#ref}}
> ../../binary-exploitation/integer-overflow.md
> {{#endref}}
{{#ref}}
../../binary-exploitation/integer-overflow.md
{{#endref}}
---
## 1. Why integer math still matters on the web
Even though most business-logic in modern stacks is written in *memory-safe* languages, the underlying runtime (or third-party libraries) is eventually implemented in C/C++. Whenever user-controlled numbers are used to allocate buffers, compute offsets, or perform length checks, **a 32-bit or 64-bit wrap-around may transform an apparently harmless parameter into an out-of-bounds read/write, a logic bypass or a DoS**.
Typical attack surface:
1. **Numeric request parameters** classic `id`, `offset`, or `count` fields.
2. **Length / size headers** `Content-Length`, WebSocket frame length, HTTP/2 `continuation_len`, etc.
3. **File-format metadata parsed server-side or client-side** image dimensions, chunk sizes, font tables.
4. **Language-level conversions** signed↔unsigned casts in PHP/Go/Rust FFI, JS `Number``int32` truncations inside V8.
5. **Authentication & business logic** coupon value, price, or balance calculations that silently overflow.
---
## 2. Recent real-world vulnerabilities (2023-2025)
| Year | Component | Root cause | Impact |
|------|-----------|-----------|--------|
| 2023 | **libwebp CVE-2023-4863** | 32-bit multiplication overflow when computing decoded pixel size | Triggered a Chrome 0-day (`BLASTPASS` on iOS), allowed *remote code execution* inside the renderer sandbox. |
| 2024 | **V8 CVE-2024-0519** | Truncation to 32-bit when growing a `JSArray` leads to OOB write on the backing store | Remote code execution after a single visit. |
| 2025 | **Apollo GraphQL Server** (unreleased patch) | 32-bit signed integer used for `first/last` pagination args; negative values wrap to huge positives | Logic bypass & memory exhaustion (DoS). |
---
## 3. Testing strategy
### 3.1 Boundary-value cheat-sheet
Send **extreme signed/unsigned values** wherever an integer is expected:
```
-1, 0, 1,
127, 128, 255, 256,
32767, 32768, 65535, 65536,
2147483647, 2147483648, 4294967295,
9223372036854775807, 9223372036854775808,
0x7fffffff, 0x80000000, 0xffffffff
```
Other useful formats:
* Hex (`0x100`), octal (`0377`), scientific (`1e10`), JSON big-int (`9999999999999999999`).
* Very long digit strings (>1kB) to hit custom parsers.
### 3.2 Burp Intruder template
```
§INTEGER§
Payload type: Numbers
From: -10 To: 4294967300 Step: 1
Pad to length: 10, Enable hex prefix 0x
```
### 3.3 Fuzzing libraries & runtimes
* **AFL++/Honggfuzz** with `libFuzzer` harness around the parser (e.g., WebP, PNG, protobuf).
* **Fuzzilli** grammar-aware fuzzing of JavaScript engines to hit V8/JSC integer truncations.
* **boofuzz** network-protocol fuzzing (WebSocket, HTTP/2) focusing on length fields.
---
## 4. Exploitation patterns
### 4.1 Logic bypass in server-side code (PHP example)
```php
$price = (int)$_POST['price']; // expecting cents (0-10000)
$total = $price * 100; // ← 32-bit overflow possible
if($total > 1000000){
die('Too expensive');
}
/* Sending price=21474850 → $total wraps to 2147483648 and check is bypassed */
```
### 4.2 Heap overflow via image decoder (libwebp 0-day)
The WebP lossless decoder multiplied image width × height × 4 (RGBA) inside a 32-bit `int`. A crafted file with dimensions `16384 × 16384` overflows the multiplication, allocates a short buffer and subsequently writes **~1GB** of decompressed data past the heap leading to RCE in every Chromium-based browser before 116.0.5845.187.
### 4.3 Browser-based XSS/RCE chain
1. **Integer overflow** in V8 gives arbitrary read/write.
2. Escape the sandbox with a second bug or call native APIs to drop a payload.
3. The payload then injects a malicious script into the origin context → stored XSS.
---
## 5. Defensive guidelines
1. **Use wide types or checked math** e.g., `size_t`, Rust `checked_add`, Go `math/bits.Add64`.
2. **Validate ranges early**: reject any value outside business domain before arithmetic.
3. **Enable compiler sanitizers**: `-fsanitize=integer`, UBSan, Go race detector.
4. **Adopt fuzzing in CI/CD** combine coverage feedback with boundary corpora.
5. **Stay patched** browser integer overflow bugs are frequently weaponised within weeks.
---
## References
* [NVD CVE-2023-4863 libwebp Heap Buffer Overflow](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
* [Google Project Zero "Understanding V8 CVE-2024-0519"](https://googleprojectzero.github.io/)
{{#include ../../banners/hacktricks-training.md}}