Integer overflow attack mitigation in Spring Rest API

java integer-overflow spring-boot zap spring-mvc-test

Solution 1:

This has nothing to do with converting the string to a valid integer. That is already taken care of by Spring.

The actual issue is described on the OWASP ZAP page. A very large page number may overflow to a negative number after addition, resulting in possible unexpected behaviour in your application. Consider, for example,

https:/...?pageNumber=2147483646&pageSize=100

The pageNumber is a perfectly valid int, with value Integer.MAX_VALUE - 1. But if your application then adds pageSize to it, it will overflow. You can mitigate by validating pageNumber and pageSize to be within ranges of sensible values, e.g. pageNumber between 1 and 1000000, pageSize between 1 and 10000.

Related

How to get vim to open multiple files into tabs at once
Difference between host name and domain name
How can I get an address bar in Finder?
Windows 7 Taskbar Icon Highlight Sticks
Where to upload PGP public key? Are KeyServers still surviving?
Why does a gigabit/sec Internet connection via cable (coax) not offer symmetrical speeds like fiber?
Reload .vimrc in Vim without restart
Is there a way to listen to the input sound on Mac OS X?
How to stop Mac to convert typing double dash to emdash?
tmux disregarding the configuration file
How do I find out which package owns a file?
Must TCP use IP?