AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Integer Overflow

The attacker may manipulate arithmetic operations to produce unauthorized financial advantage or leave application in a denial of service state

Severity

Critical

Fix Cost

Low

Trust Level

Medium

Performing arithmetic calculations may not sound problematic in code when they produce correct results. However, when unchecked integer arithmetic operations with at least a single user provided operand leaves application unstable at best under attack.

Here’s a controller code that accepts a simple integer input from the user and tries to calculate the total number of items.

                            
public class CartController : ApiController
{
[HttpPost]
public HttpResponseMessage CheckOut(Customer customer)
{
int itemsToReserve = customer.NoOfSelection * customer.NoOfPeople;
if(itemsToReserve > MAX_ITEMS_TO_RESERVE)
{
throw new Exception();
}

// try to calculate the price for the items
}
…
            
            

Here, if an attacker sends a huge positive integer numbers for NoOfSelection or NoOfPeople then with the calculation the result might exceed Int32.MaxValue and become an negative integer number. The the first if statement will not hold and the code will flow for calculating the wrong price.

This situation may leave the application in an unstable state or produce wrong total price for the attacker advantage.

When the arithmetic operation produces a huge number that the resulting variable can’t hold (Int32 in this case can hold of maximum Int32.MaxValue) then the result will overflow and the variable will represent valid but incorrect result.

Performing arithmetic calculations may not sound problematic in code when they produce correct results. However, when unchecked integer arithmetic operations with at least a single user provided operand leaves application unstable at best under attack.

Here’s a controller code that accepts a simple integer input from the user and tries to calculate the total number of items.


@Controller
public class CartController {

@RequestMapping(method = RequestMethod.POST)
public String Checkout(Customer customer) {
int itemsToReserve = customer.NoOfSelection * customer.NoOfPeople;
if(itemsToReserve > MAX_ITEMS_TO_RESERVE)
{
throw new Exception();
}    
}
...
}

		

Here, if an attacker sends a huge positive integer numbers for NoOfSelection or NoOfPeople then with the calculation the result might exceed Integer.MAX_VALUE and become an negative integer number. The the first if statement will not hold and the code will flow for calculating the wrong price.

This situation may leave the application in an unstable state or produce wrong total price for the attacker advantage.

When the arithmetic operation produces a huge number that the resulting variable can’t hold (int in this case can hold of maximum Integer.MAX_VALUE) then the result will overflow and the variable will represent valid but incorrect result.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!