maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md
carlospolop be775b0008 f
2025-09-07 16:49:20 +02:00

113 lines
4.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Integer Overflow (Web Applications)
{{#include ../../banners/hacktricks-training.md}}
> This page focuses on how **integer overflows/truncations can be abused in web applications and browsers**. For exploitation primitives inside native binaries you can continue reading the dedicated page:
>
>
{{#ref}}
> ../../binary-exploitation/integer-overflow-and-underflow.md
> {{#endref}}
---
## 1. Why integer math still matters on the web
Even though most business-logic in modern stacks is written in *memory-safe* languages, the underlying runtime (or third-party libraries) is eventually implemented in C/C++. Whenever user-controlled numbers are used to allocate buffers, compute offsets, or perform length checks, **a 32-bit or 64-bit wrap-around may transform an apparently harmless parameter into an out-of-bounds read/write, a logic bypass or a DoS**.
Typical attack surface:
1. **Numeric request parameters** classic `id`, `offset`, or `count` fields.
2. **Length / size headers** `Content-Length`, WebSocket frame length, HTTP/2 `continuation_len`, etc.
3. **File-format metadata parsed server-side or client-side** image dimensions, chunk sizes, font tables.
4. **Language-level conversions** signed↔unsigned casts in PHP/Go/Rust FFI, JS `Number``int32` truncations inside V8.
5. **Authentication & business logic** coupon value, price, or balance calculations that silently overflow.
---
## 2. Recent real-world vulnerabilities (2023-2025)
| Year | Component | Root cause | Impact |
|------|-----------|-----------|--------|
| 2023 | **libwebp CVE-2023-4863** | 32-bit multiplication overflow when computing decoded pixel size | Triggered a Chrome 0-day (`BLASTPASS` on iOS), allowed *remote code execution* inside the renderer sandbox. |
| 2024 | **V8 CVE-2024-0519** | Truncation to 32-bit when growing a `JSArray` leads to OOB write on the backing store | Remote code execution after a single visit. |
| 2025 | **Apollo GraphQL Server** (unreleased patch) | 32-bit signed integer used for `first/last` pagination args; negative values wrap to huge positives | Logic bypass & memory exhaustion (DoS). |
---
## 3. Testing strategy
### 3.1 Boundary-value cheat-sheet
Send **extreme signed/unsigned values** wherever an integer is expected:
```
-1, 0, 1,
127, 128, 255, 256,
32767, 32768, 65535, 65536,
2147483647, 2147483648, 4294967295,
9223372036854775807, 9223372036854775808,
0x7fffffff, 0x80000000, 0xffffffff
```
Other useful formats:
* Hex (`0x100`), octal (`0377`), scientific (`1e10`), JSON big-int (`9999999999999999999`).
* Very long digit strings (>1kB) to hit custom parsers.
### 3.2 Burp Intruder template
```
§INTEGER§
Payload type: Numbers
From: -10 To: 4294967300 Step: 1
Pad to length: 10, Enable hex prefix 0x
```
### 3.3 Fuzzing libraries & runtimes
* **AFL++/Honggfuzz** with `libFuzzer` harness around the parser (e.g., WebP, PNG, protobuf).
* **Fuzzilli** grammar-aware fuzzing of JavaScript engines to hit V8/JSC integer truncations.
* **boofuzz** network-protocol fuzzing (WebSocket, HTTP/2) focusing on length fields.
---
## 4. Exploitation patterns
### 4.1 Logic bypass in server-side code (PHP example)
```php
$price = (int)$_POST['price']; // expecting cents (0-10000)
$total = $price * 100; // ← 32-bit overflow possible
if($total > 1000000){
die('Too expensive');
}
/* Sending price=21474850 → $total wraps to 2147483648 and check is bypassed */
```
### 4.2 Heap overflow via image decoder (libwebp 0-day)
The WebP lossless decoder multiplied image width × height × 4 (RGBA) inside a 32-bit `int`. A crafted file with dimensions `16384 × 16384` overflows the multiplication, allocates a short buffer and subsequently writes **~1GB** of decompressed data past the heap leading to RCE in every Chromium-based browser before 116.0.5845.187.
### 4.3 Browser-based XSS/RCE chain
1. **Integer overflow** in V8 gives arbitrary read/write.
2. Escape the sandbox with a second bug or call native APIs to drop a payload.
3. The payload then injects a malicious script into the origin context → stored XSS.
---
## 5. Defensive guidelines
1. **Use wide types or checked math** e.g., `size_t`, Rust `checked_add`, Go `math/bits.Add64`.
2. **Validate ranges early**: reject any value outside business domain before arithmetic.
3. **Enable compiler sanitizers**: `-fsanitize=integer`, UBSan, Go race detector.
4. **Adopt fuzzing in CI/CD** combine coverage feedback with boundary corpora.
5. **Stay patched** browser integer overflow bugs are frequently weaponised within weeks.
---
## References
* [NVD CVE-2023-4863 libwebp Heap Buffer Overflow](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
* [Google Project Zero "Understanding V8 CVE-2024-0519"](https://googleprojectzero.github.io/)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink