Out Of Bounds Write in Express with Hmac Signatures
Out Of Bounds Write in Express with Hmac Signatures — how this specific combination creates or exposes the vulnerability
An Out Of Bounds Write occurs when an application writes data to a memory location outside the intended buffer. In Express, this typically arises from unsafe handling of request data (e.g., raw body buffers) before signature verification. When Hmac Signatures are used—commonly to validate webhook payloads or API requests—developers may deserialize or process the payload before verifying the Hmac, allowing an attacker to supply crafted input that leads to memory corruption during subsequent parsing or transformation.
Consider a webhook handler that reads the raw body as a Buffer and then parses it as JSON without first validating the Hmac. An oversized or malformed JSON string can trigger an Out Of Bounds Write during parsing, especially if the runtime or underlying libraries have known memory handling issues. The Hmac Signature is meant to guarantee integrity and authenticity, but if the signature check is performed after deserialization, the damage is already done: the attacker has induced the server to process untrusted input that leads to out-of-bounds memory operations.
For example, the following Express route reads the raw body and only afterward checks the Hmac. If the JSON parser encounters a deeply nested or extremely long string, it may attempt to write beyond allocated memory boundaries before the signature is validated:
const express = require('express');
const crypto = require('crypto');
const app = express();
app.use(express.json({ type: 'application/json' }));
app.use(express.raw({ type: 'text/plain' }));
app.post('/webhook', (req, res) => {
const signature = req.headers['x-hub-signature-256'];
const body = req.body; // raw Buffer
const expected = 'sha256=' + crypto.createHmac('sha256', 'my-secret').update(body).digest('hex');
if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
return res.status(401).send('Invalid signature');
}
const data = JSON.parse(body.toString()); // potentially unsafe if body is malformed
res.json({ received: data });
});
In this pattern, the raw body is used both for Hmac computation and for parsing. If the JSON parser encounters maliciously crafted content, the runtime may attempt an Out Of Bounds Write during internal buffer management. This is not a flaw in Hmac itself, but a consequence of processing untrusted data before verification. The combination is risky because the security boundary (the signature) is evaluated too late, after the application has already exposed memory operations to the input.
Moreover, if the Hmac verification uses a vulnerable crypto library or incorrect encoding (e.g., mishandling UTF-8 vs. binary), the comparison may be bypassed or cause erratic memory behavior. An attacker could exploit parser edge cases—such as extremely long strings, deeply nested objects, or specially crafted unicode—to trigger the out-of-bounds condition. Because Express does not inherently protect against memory corruption in userland JavaScript, the responsibility falls on the developer to validate and sanitize input before any processing, not after.
Hmac Signatures-Specific Remediation in Express — concrete code fixes
To prevent Out Of Bounds Write risks when using Hmac Signatures in Express, ensure that the signature is verified before any parsing or transformation of the input data. This establishes a security boundary that rejects malformed or malicious payloads before they reach memory-sensitive operations. Always treat the raw body as untrusted until the Hmac is confirmed valid.
Below is a secure pattern that reads the raw body, verifies the Hmac, and only then parses the JSON. The key is to perform the cryptographic check on the raw bytes and to avoid using the raw body for anything other than hashing until validation passes:
const express = require('express');
const crypto = require('crypto');
const app = express();
// Use raw body middleware for signature verification
app.use('/webhook', express.raw({ type: 'application/json' }));
app.post('/webhook', (req, res) => {
const signature = req.headers['x-hub-signature-256'];
if (!signature || !signature.startsWith('sha256=')) {
return res.status(400).send('Missing signature');
}
const body = req.body; // Buffer
const expected = 'sha256=' + crypto.createHmac('sha256', process.env.WEBHOOK_SECRET).update(body).digest('hex');
if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
return res.status(401).send('Invalid signature');
}
// Only after verification, parse the body
let data;
try {
data = JSON.parse(body.toString('utf8'));
} catch (err) {
return res.status(400).send('Invalid JSON');
}
res.json({ received: data });
});
This approach isolates the raw bytes to the hashing step and ensures no parsing occurs before authentication. To further reduce risk, enforce strict input length limits at the middleware layer before Hmac computation, preventing excessively large payloads that could stress the parser. Also, use environment variables for secrets and prefer SHA-256 with timing-safe comparison to avoid timing attacks.
For production use, the middleBrick CLI can be integrated into your workflow to scan Express endpoints for such patterns. Run middlebrick scan https://your-api.example.com/webhook to detect insecure signature handling and other security issues. Teams using the Pro plan can enable continuous monitoring to catch regressions early, while the GitHub Action can fail builds if a scan returns a risk score below your defined threshold.