OWASP Periodic Table of Vulnerabilities - Integer Overflow/Underflow

Saltar a: navegación, buscar

Return to Periodic Table Working View

Integer Overflow / Underflow

Root Cause Summary

Arithmetic operations cause a number to either grow too large to be represented in the number of bits allocated to it, or too small. This could cause a positive number to become negative or a negative number to become positive, resulting in unexpected/dangerous behavior.

Browser / Standards Solution


Perimeter Solution


Generic Framework Solution

The framework should provide safe object wrappers for numerical data types, just as it does for other generic data types such as phone numbers and email addresses. All arithmetic operations performed on primitive numeric types in the framework should perform overflow/underflow checks first.

Custom Framework Solution


Custom Code Solution

Never perform arithmetic operations on numeric primitives without strict checking for overflow/underflow conditions.

Discussion / Controversy

Static analysis can be quite helpful in checking for possible overflow/underflow conditions.

Some runtime environments automatically check for overflow/underflow and trigger exceptions, but no mainstream language runtimes used for web application development currently do this except for some flavors of Python. This vulnerability category may be a candidate to be completely solved in the platform or framework if enough pressure can be placed on language runtime developers to implement a solution.


Integer Overflow
Integer Overflows (WASC)
Integer Overflow or Wraparound (CWE)