On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO <dominique.righe...@gmail.com> wrote: > Hi Tomas, > > Thanks you very much. > > I try to understand the objective of each of the value in > ["-0000012345", "-2147483649", "-2147483648", "0000012345", "2147483647", > "2147483648", "4294967295", "4294967296", "0000023456"]. > > For values: 2147483647,2147483648,-2147483649,-2147483648 > I understand because it's a for testing around the limits of the Integer > type but for other values I dont understand why they are used and from where > they come from ?
The most important part seems to be here [0] [0] https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872 > As I understand the vulnerability, according the all the stuff that I can > read, is the fact below: > > A parameter has a Integer overflow vuln if, in the case in which you submit > a value over the max/min limit of the Integer, it return a very small > negative or positive value. > > Ex: > You submit "2147483648" and the returned value is negative > You submit "-2147483648" and the returned value is positive > > Can you confirm to me that's my understanding is correct ? I'm no good with these low level bugs, but my basic understanding of the vuln makes me think that the best way to detect this vuln is: * Send HTTP request with a test payload, lets say... 5 , save it * Send HTTP request with a test for integer overflow, which if successful would be the same as sending the number 5, (calculate that, but it should be -(2^31-5) or something like that), save it * Compare the two. If they are equal we're in a case where integer overflow is present OR the input is not even used * Send one more HTTP request with a number 8 (different from the previous), compare with any of the previous ones. If it's different then integer overflow is present. If you want to have lower false positives, after running through those steps you could run one more test round, repeating step 1 and 2 with a number different than 5. @Thomas: is this how you were doing it? > I apologize for all my questions but I really want to fully understand the > context of the vulnerability in order to take in account all the cases into > the plugin implementation and also learn new things. > > W3AF team is a very cool learning environment, I feel like a dwarf among > giants ;o))))) > > Thanks in advance. > > Best regards, > > Dom > > > > On 13/07/2013 15:48, Tomas Velazquez wrote: >> >> Hi Dominique, >> >> Months ago I code a poc of integer overflow, but it is unfinished. >> >> My code is based on skipfish detection: >> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c >> >> Regards, >> >> >> >> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto >> <dominique.righe...@gmail.com <mailto:dominique.righe...@gmail.com>> >> wrote: >> >> Hi Andres, >> >> I'm working on integer overflow detection plugin and I try to >> understand, in a audit plugin, how to access to injection points >> detected by in discovery part. >> >> Can you give me some pointer or plugin example ? >> >> Thanks in advance >> >> Dom >> >> >> ------------------------------------------------------------------------------ >> See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk >> _______________________________________________ >> W3af-develop mailing list >> W3af-develop@lists.sourceforge.net >> <mailto:W3af-develop@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >> > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
