maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md

108 lines
4.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Integer Overflow (Web Applications)
{{#include ../../banners/hacktricks-training.md}}
> Ukurasa huu unaelezea jinsi ambapo **integer overflows/truncations zinaweza kutumiwa katika web applications na browsers**. Kwa exploitation primitives ndani ya native binaries unaweza endelea kusoma ukurasa maalum:
>
>
{{#ref}}
> ../../binary-exploitation/integer-overflow-and-underflow.md
> {{#endref}}
---
## 1. Why integer math still matters on the web
Licha ya kwamba sehemu kubwa ya business-logic katika modern stacks imeandikwa kwa lugha za *memory-safe*, runtime inayofanya kazi chini yake (au third-party libraries) hatimaye imeimplemented katika C/C++. Wakati wowote nambari zinazoathiriwa na user zinapotumika kugawa buffers, kuhesabu offsets, au kufanya ukaguzi wa urefu, **wrap-around ya 32-bit au 64-bit inaweza kubadilisha parameter inayotarajiwa kuwa isiyo hatari kuwa out-of-bounds read/write, logic bypass au DoS**.
Typical attack surface:
1. **Numeric request parameters** classic id, offset, or count fields.
2. **Length / size headers** Content-Length, WebSocket frame length, HTTP/2 continuation_len, etc.
3. **File-format metadata parsed server-side or client-side** image dimensions, chunk sizes, font tables.
4. **Language-level conversions** signed↔unsigned casts in PHP/Go/Rust FFI, JS Number → int32 truncations inside V8.
5. **Authentication & business logic** coupon value, price, or balance calculations that silently overflow.
---
## 2. Recent real-world vulnerabilities (2023-2025)
| Mwaka | Komponenti | Sababu kuu | Athari |
|------|-----------|-----------|--------|
| 2023 | **libwebp CVE-2023-4863** | 32-bit multiplication overflow when computing decoded pixel size | Ilisababisha Chrome 0-day (BLASTPASS on iOS), ikaruhusu *remote code execution* ndani ya renderer sandbox. |
| 2024 | **V8 CVE-2024-0519** | Truncation to 32-bit when growing a JSArray leads to OOB write on the backing store | Remote code execution baada ya kutembelea mara moja. |
| 2025 | **Apollo GraphQL Server** (unreleased patch) | 32-bit signed integer used for first/last pagination args; negative values wrap to huge positives | Logic bypass & memory exhaustion (DoS). |
---
## 3. Testing strategy
### 3.1 Boundary-value cheat-sheet
Tuma **extreme signed/unsigned values** kila mahali ambapo integer inatarajiwa:
```
-1, 0, 1,
127, 128, 255, 256,
32767, 32768, 65535, 65536,
2147483647, 2147483648, 4294967295,
9223372036854775807, 9223372036854775808,
0x7fffffff, 0x80000000, 0xffffffff
```
Mifomato mingine muhimu:
* Hex (0x100), octal (0377), scientific (1e10), JSON big-int (9999999999999999999).
* Mfuatano mrefu sana wa tarakimu (>1kB) ili kugonga custom parsers.
### 3.2 Kiolezo cha Burp Intruder
```
§INTEGER§
Payload type: Numbers
From: -10 To: 4294967300 Step: 1
Pad to length: 10, Enable hex prefix 0x
```
### 3.3 Fuzzing libraries & runtimes
* **AFL++/Honggfuzz** pamoja na libFuzzer harness karibu na parser (kwa mfano, WebP, PNG, protobuf).
* **Fuzzilli** grammar-aware fuzzing ya JavaScript engines ili kugonga V8/JSC integer truncations.
* **boofuzz** network-protocol fuzzing (WebSocket, HTTP/2) ikilenga length fields.
---
## 4. Exploitation patterns
### 4.1 Logic bypass katika server-side code (mfano wa PHP)
```php
$price = (int)$_POST['price']; // expecting cents (0-10000)
$total = $price * 100; // ← 32-bit overflow possible
if($total > 1000000){
die('Too expensive');
}
/* Sending price=21474850 → $total wraps to 2147483648 and check is bypassed */
```
### 4.2 Heap overflow via image decoder (libwebp 0-day)
WebP lossless decoder ilizidisha image width × height × 4 (RGBA) ndani ya 32-bit int. Faili iliyotengenezwa kwa vipimo 16384 × 16384 iliresulta overflows kwenye multiplication, allocates short buffer na baadaye ikaandika **~1GB** ya decompressed data past the heap ikisababisha RCE katika every Chromium-based browser kabla ya 116.0.5845.187.
### 4.3 Browser-based XSS/RCE chain
1. **Integer overflow** in V8 gives arbitrary read/write.
2. Escape the sandbox with a second bug or call native APIs to drop a payload.
3. The payload then injects a malicious script into the origin context → stored XSS.
---
## 5. Defensive guidelines
1. **Use wide types or checked math** e.g., size_t, Rust checked_add, Go math/bits.Add64.
2. **Validate ranges early**: kataa thamani yoyote nje ya business domain kabla ya arithmetic.
3. **Enable compiler sanitizers**: -fsanitize=integer, UBSan, Go race detector.
4. **Adopt fuzzing in CI/CD** waunganishe coverage feedback na boundary corpora.
5. **Stay patched** browser integer overflow bugs mara nyingi zinatumiwa ndani ya wiki.
---
## References
* [NVD CVE-2023-4863 libwebp Heap Buffer Overflow](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
* [Google Project Zero "Understanding V8 CVE-2024-0519"](https://googleprojectzero.github.io/)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink