Java Arithmetic Integer Overflow
Description
Detects potential integer overflow vulnerabilities in Java web applications where untrusted HTTP request parameters are used in integer arithmetic operations. Integer overflows can lead to unexpected behavior, data corruption, or security bypasses when user-controlled input causes numeric values to exceed their maximum bounds.
Detection Strategy
• Check if the application uses Java Servlet API classes (javax.servlet.http.HttpServletRequest or javax.servlet.ServletRequest) for handling HTTP requests
• Look for method parameters that accept request objects from the Servlet API
• Examine the execution blocks containing these parameters for integer arithmetic operations
• Report a vulnerability if request parameters from HTTP requests are used in integer calculations without proper bounds checking
Vulnerable code example
import javax.servlet.http.HttpServletRequest;
public void processCount(HttpServletRequest req) {
String input = req.getParameter("count");
int value = Integer.parseInt(input); // SOURCE: Untrusted input from request
int result = value * 1000; // SINK: No range validation, integer overflow possible
}✅ Secure code example
import javax.servlet.http.HttpServletRequest;
public void processCount(HttpServletRequest req) {
String input = req.getParameter("count");
try {
int value = Integer.parseInt(input);
// Check bounds before multiplication to prevent overflow
if (value <= Integer.MAX_VALUE / 1000 && value >= Integer.MIN_VALUE / 1000) {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.