Skip to content

Research Update Enhanced src/pentesting-web/xss-cross-site-s... #1176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 24, 2025
Merged

Research Update Enhanced src/pentesting-web/xss-cross-site-s... #1176

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
109 changes: 103 additions & 6 deletions src/pentesting-web/xss-cross-site-scripting/integer-overflow.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,111 @@
# Integer Overflow
# Integer Overflow (Web Applications)

{{#include ../../banners/hacktricks-training.md}}

Check:
> This page focuses on how **integer overflows/truncations can be abused in web applications and browsers**. For exploitation primitives inside native binaries you can continue reading the dedicated page:
>
> {{#ref}}
> ../../binary-exploitation/integer-overflow.md
> {{#endref}}

{{#ref}}
../../binary-exploitation/integer-overflow.md
{{#endref}}
---

{{#include ../../banners/hacktricks-training.md}}
## 1. Why integer math still matters on the web

Even though most business-logic in modern stacks is written in *memory-safe* languages, the underlying runtime (or third-party libraries) is eventually implemented in C/C++. Whenever user-controlled numbers are used to allocate buffers, compute offsets, or perform length checks, **a 32-bit or 64-bit wrap-around may transform an apparently harmless parameter into an out-of-bounds read/write, a logic bypass or a DoS**.

Typical attack surface:

1. **Numeric request parameters** – classic `id`, `offset`, or `count` fields.
2. **Length / size headers** – `Content-Length`, WebSocket frame length, HTTP/2 `continuation_len`, etc.
3. **File-format metadata parsed server-side or client-side** – image dimensions, chunk sizes, font tables.
4. **Language-level conversions** – signed↔unsigned casts in PHP/Go/Rust FFI, JS `Number` β†’ `int32` truncations inside V8.
5. **Authentication & business logic** – coupon value, price, or balance calculations that silently overflow.

---

## 2. Recent real-world vulnerabilities (2023-2025)

| Year | Component | Root cause | Impact |
|------|-----------|-----------|--------|
| 2023 | **libwebp – CVE-2023-4863** | 32-bit multiplication overflow when computing decoded pixel size | Triggered a Chrome 0-day (`BLASTPASS` on iOS), allowed *remote code execution* inside the renderer sandbox. |
| 2024 | **V8 – CVE-2024-0519** | Truncation to 32-bit when growing a `JSArray` leads to OOB write on the backing store | Remote code execution after a single visit. |
| 2025 | **Apollo GraphQL Server** (unreleased patch) | 32-bit signed integer used for `first/last` pagination args; negative values wrap to huge positives | Logic bypass & memory exhaustion (DoS). |

---

## 3. Testing strategy

### 3.1 Boundary-value cheat-sheet

Send **extreme signed/unsigned values** wherever an integer is expected:

```
-1, 0, 1,
127, 128, 255, 256,
32767, 32768, 65535, 65536,
2147483647, 2147483648, 4294967295,
9223372036854775807, 9223372036854775808,
0x7fffffff, 0x80000000, 0xffffffff
```

Other useful formats:
* Hex (`0x100`), octal (`0377`), scientific (`1e10`), JSON big-int (`9999999999999999999`).
* Very long digit strings (>1kB) to hit custom parsers.

### 3.2 Burp Intruder template

```
§INTEGER§
Payload type: Numbers
From: -10 To: 4294967300 Step: 1
Pad to length: 10, Enable hex prefix 0x
```

### 3.3 Fuzzing libraries & runtimes

* **AFL++/Honggfuzz** with `libFuzzer` harness around the parser (e.g., WebP, PNG, protobuf).
* **Fuzzilli** – grammar-aware fuzzing of JavaScript engines to hit V8/JSC integer truncations.
* **boofuzz** – network-protocol fuzzing (WebSocket, HTTP/2) focusing on length fields.

---

## 4. Exploitation patterns

### 4.1 Logic bypass in server-side code (PHP example)
```php
$price = (int)$_POST['price']; // expecting cents (0-10000)
$total = $price * 100; // ← 32-bit overflow possible
if($total > 1000000){
die('Too expensive');
}
/* Sending price=21474850 β†’ $total wraps to ‑2147483648 and check is bypassed */
```

### 4.2 Heap overflow via image decoder (libwebp 0-day)
The WebP lossless decoder multiplied image width Γ— height Γ— 4 (RGBA) inside a 32-bit `int`. A crafted file with dimensions `16384 Γ— 16384` overflows the multiplication, allocates a short buffer and subsequently writes **~1GB** of decompressed data past the heap – leading to RCE in every Chromium-based browser before 116.0.5845.187.

### 4.3 Browser-based XSS/RCE chain
1. **Integer overflow** in V8 gives arbitrary read/write.
2. Escape the sandbox with a second bug or call native APIs to drop a payload.
3. The payload then injects a malicious script into the origin context β†’ stored XSS.

---

## 5. Defensive guidelines

1. **Use wide types or checked math** – e.g., `size_t`, Rust `checked_add`, Go `math/bits.Add64`.
2. **Validate ranges early**: reject any value outside business ___domain before arithmetic.
3. **Enable compiler sanitizers**: `-fsanitize=integer`, UBSan, Go race detector.
4. **Adopt fuzzing in CI/CD** – combine coverage feedback with boundary corpora.
5. **Stay patched** – browser integer overflow bugs are frequently weaponised within weeks.

---



## References

* [NVD CVE-2023-4863 – libwebp Heap Buffer Overflow](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
* [Google Project Zero – "Understanding V8 CVE-2024-0519"](https://googleprojectzero.github.io/)
{{#include ../../banners/hacktricks-training.md}}