From fdb975d6367837fbf86c1dce8ed94d3b005b900b Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 23 Jul 2025 16:27:14 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/pentesting-web/xss-cross-site-... --- .../integer-overflow.md | 109 +++++++++++++++++- 1 file changed, 103 insertions(+), 6 deletions(-) diff --git a/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md b/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md index e02d2e4eee2..94e621d7867 100644 --- a/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md +++ b/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md @@ -1,14 +1,111 @@ -# Integer Overflow +# Integer Overflow (Web Applications) {{#include ../../banners/hacktricks-training.md}} -Check: +> This page focuses on how **integer overflows/truncations can be abused in web applications and browsers**. For exploitation primitives inside native binaries you can continue reading the dedicated page: +> +> {{#ref}} +> ../../binary-exploitation/integer-overflow.md +> {{#endref}} -{{#ref}} -../../binary-exploitation/integer-overflow.md -{{#endref}} +--- -{{#include ../../banners/hacktricks-training.md}} +## 1. Why integer math still matters on the web + +Even though most business-logic in modern stacks is written in *memory-safe* languages, the underlying runtime (or third-party libraries) is eventually implemented in C/C++. Whenever user-controlled numbers are used to allocate buffers, compute offsets, or perform length checks, **a 32-bit or 64-bit wrap-around may transform an apparently harmless parameter into an out-of-bounds read/write, a logic bypass or a DoS**. + +Typical attack surface: + +1. **Numeric request parameters** – classic `id`, `offset`, or `count` fields. +2. **Length / size headers** – `Content-Length`, WebSocket frame length, HTTP/2 `continuation_len`, etc. +3. **File-format metadata parsed server-side or client-side** – image dimensions, chunk sizes, font tables. +4. **Language-level conversions** – signed↔unsigned casts in PHP/Go/Rust FFI, JS `Number` → `int32` truncations inside V8. +5. **Authentication & business logic** – coupon value, price, or balance calculations that silently overflow. + +--- + +## 2. Recent real-world vulnerabilities (2023-2025) + +| Year | Component | Root cause | Impact | +|------|-----------|-----------|--------| +| 2023 | **libwebp – CVE-2023-4863** | 32-bit multiplication overflow when computing decoded pixel size | Triggered a Chrome 0-day (`BLASTPASS` on iOS), allowed *remote code execution* inside the renderer sandbox. | +| 2024 | **V8 – CVE-2024-0519** | Truncation to 32-bit when growing a `JSArray` leads to OOB write on the backing store | Remote code execution after a single visit. | +| 2025 | **Apollo GraphQL Server** (unreleased patch) | 32-bit signed integer used for `first/last` pagination args; negative values wrap to huge positives | Logic bypass & memory exhaustion (DoS). | + +--- + +## 3. Testing strategy + +### 3.1 Boundary-value cheat-sheet + +Send **extreme signed/unsigned values** wherever an integer is expected: + +``` +-1, 0, 1, +127, 128, 255, 256, +32767, 32768, 65535, 65536, +2147483647, 2147483648, 4294967295, +9223372036854775807, 9223372036854775808, +0x7fffffff, 0x80000000, 0xffffffff +``` + +Other useful formats: +* Hex (`0x100`), octal (`0377`), scientific (`1e10`), JSON big-int (`9999999999999999999`). +* Very long digit strings (>1kB) to hit custom parsers. + +### 3.2 Burp Intruder template +``` +§INTEGER§ +Payload type: Numbers +From: -10 To: 4294967300 Step: 1 +Pad to length: 10, Enable hex prefix 0x +``` +### 3.3 Fuzzing libraries & runtimes +* **AFL++/Honggfuzz** with `libFuzzer` harness around the parser (e.g., WebP, PNG, protobuf). +* **Fuzzilli** – grammar-aware fuzzing of JavaScript engines to hit V8/JSC integer truncations. +* **boofuzz** – network-protocol fuzzing (WebSocket, HTTP/2) focusing on length fields. + +--- + +## 4. Exploitation patterns + +### 4.1 Logic bypass in server-side code (PHP example) +```php +$price = (int)$_POST['price']; // expecting cents (0-10000) +$total = $price * 100; // ← 32-bit overflow possible +if($total > 1000000){ + die('Too expensive'); +} +/* Sending price=21474850 → $total wraps to ‑2147483648 and check is bypassed */ +``` + +### 4.2 Heap overflow via image decoder (libwebp 0-day) +The WebP lossless decoder multiplied image width × height × 4 (RGBA) inside a 32-bit `int`. A crafted file with dimensions `16384 × 16384` overflows the multiplication, allocates a short buffer and subsequently writes **~1GB** of decompressed data past the heap – leading to RCE in every Chromium-based browser before 116.0.5845.187. + +### 4.3 Browser-based XSS/RCE chain +1. **Integer overflow** in V8 gives arbitrary read/write. +2. Escape the sandbox with a second bug or call native APIs to drop a payload. +3. The payload then injects a malicious script into the origin context → stored XSS. + +--- + +## 5. Defensive guidelines + +1. **Use wide types or checked math** – e.g., `size_t`, Rust `checked_add`, Go `math/bits.Add64`. +2. **Validate ranges early**: reject any value outside business domain before arithmetic. +3. **Enable compiler sanitizers**: `-fsanitize=integer`, UBSan, Go race detector. +4. **Adopt fuzzing in CI/CD** – combine coverage feedback with boundary corpora. +5. **Stay patched** – browser integer overflow bugs are frequently weaponised within weeks. + +--- + + + +## References + +* [NVD CVE-2023-4863 – libwebp Heap Buffer Overflow](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) +* [Google Project Zero – "Understanding V8 CVE-2024-0519"](https://googleprojectzero.github.io/) +{{#include ../../banners/hacktricks-training.md}}