# Integer Overflow (Web Applications) {{#include ../../banners/hacktricks-training.md}} > Ukurasa huu unaelezea jinsi ambapo **integer overflows/truncations zinaweza kutumiwa katika web applications na browsers**. Kwa exploitation primitives ndani ya native binaries unaweza endelea kusoma ukurasa maalum: > > {{#ref}} > ../../binary-exploitation/integer-overflow-and-underflow.md > {{#endref}} --- ## 1. Why integer math still matters on the web Licha ya kwamba sehemu kubwa ya business-logic katika modern stacks imeandikwa kwa lugha za *memory-safe*, runtime inayofanya kazi chini yake (au third-party libraries) hatimaye imeimplemented katika C/C++. Wakati wowote nambari zinazoathiriwa na user zinapotumika kugawa buffers, kuhesabu offsets, au kufanya ukaguzi wa urefu, **wrap-around ya 32-bit au 64-bit inaweza kubadilisha parameter inayotarajiwa kuwa isiyo hatari kuwa out-of-bounds read/write, logic bypass au DoS**. Typical attack surface: 1. **Numeric request parameters** – classic id, offset, or count fields. 2. **Length / size headers** – Content-Length, WebSocket frame length, HTTP/2 continuation_len, etc. 3. **File-format metadata parsed server-side or client-side** – image dimensions, chunk sizes, font tables. 4. **Language-level conversions** – signed↔unsigned casts in PHP/Go/Rust FFI, JS Number → int32 truncations inside V8. 5. **Authentication & business logic** – coupon value, price, or balance calculations that silently overflow. --- ## 2. Recent real-world vulnerabilities (2023-2025) | Mwaka | Komponenti | Sababu kuu | Athari | |------|-----------|-----------|--------| | 2023 | **libwebp – CVE-2023-4863** | 32-bit multiplication overflow when computing decoded pixel size | Ilisababisha Chrome 0-day (BLASTPASS on iOS), ikaruhusu *remote code execution* ndani ya renderer sandbox. | | 2024 | **V8 – CVE-2024-0519** | Truncation to 32-bit when growing a JSArray leads to OOB write on the backing store | Remote code execution baada ya kutembelea mara moja. | | 2025 | **Apollo GraphQL Server** (unreleased patch) | 32-bit signed integer used for first/last pagination args; negative values wrap to huge positives | Logic bypass & memory exhaustion (DoS). | --- ## 3. Testing strategy ### 3.1 Boundary-value cheat-sheet Tuma **extreme signed/unsigned values** kila mahali ambapo integer inatarajiwa: ``` -1, 0, 1, 127, 128, 255, 256, 32767, 32768, 65535, 65536, 2147483647, 2147483648, 4294967295, 9223372036854775807, 9223372036854775808, 0x7fffffff, 0x80000000, 0xffffffff ``` Mifomato mingine muhimu: * Hex (0x100), octal (0377), scientific (1e10), JSON big-int (9999999999999999999). * Mfuatano mrefu sana wa tarakimu (>1kB) ili kugonga custom parsers. ### 3.2 Kiolezo cha Burp Intruder ``` §INTEGER§ Payload type: Numbers From: -10 To: 4294967300 Step: 1 Pad to length: 10, Enable hex prefix 0x ``` ### 3.3 Fuzzing libraries & runtimes * **AFL++/Honggfuzz** pamoja na libFuzzer harness karibu na parser (kwa mfano, WebP, PNG, protobuf). * **Fuzzilli** – grammar-aware fuzzing ya JavaScript engines ili kugonga V8/JSC integer truncations. * **boofuzz** – network-protocol fuzzing (WebSocket, HTTP/2) ikilenga length fields. --- ## 4. Exploitation patterns ### 4.1 Logic bypass katika server-side code (mfano wa PHP) ```php $price = (int)$_POST['price']; // expecting cents (0-10000) $total = $price * 100; // ← 32-bit overflow possible if($total > 1000000){ die('Too expensive'); } /* Sending price=21474850 → $total wraps to ‑2147483648 and check is bypassed */ ``` ### 4.2 Heap overflow via image decoder (libwebp 0-day) WebP lossless decoder ilizidisha image width × height × 4 (RGBA) ndani ya 32-bit int. Faili iliyotengenezwa kwa vipimo 16384 × 16384 iliresulta overflows kwenye multiplication, allocates short buffer na baadaye ikaandika **~1GB** ya decompressed data past the heap – ikisababisha RCE katika every Chromium-based browser kabla ya 116.0.5845.187. ### 4.3 Browser-based XSS/RCE chain 1. **Integer overflow** in V8 gives arbitrary read/write. 2. Escape the sandbox with a second bug or call native APIs to drop a payload. 3. The payload then injects a malicious script into the origin context → stored XSS. --- ## 5. Defensive guidelines 1. **Use wide types or checked math** – e.g., size_t, Rust checked_add, Go math/bits.Add64. 2. **Validate ranges early**: kataa thamani yoyote nje ya business domain kabla ya arithmetic. 3. **Enable compiler sanitizers**: -fsanitize=integer, UBSan, Go race detector. 4. **Adopt fuzzing in CI/CD** – waunganishe coverage feedback na boundary corpora. 5. **Stay patched** – browser integer overflow bugs mara nyingi zinatumiwa ndani ya wiki. --- ## References * [NVD CVE-2023-4863 – libwebp Heap Buffer Overflow](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) * [Google Project Zero – "Understanding V8 CVE-2024-0519"](https://googleprojectzero.github.io/) {{#include ../../banners/hacktricks-training.md}}