Heap Spraying
What is Heap Spraying?
Heap SprayingAn exploitation primitive that fills the heap with many copies of a payload so that a corrupted pointer is highly likely to land on attacker-controlled data.
Heap spraying populates large regions of process memory with predictable copies of a NOP-sled and shellcode (or, in modern variants, ROP gadgets or fake object vtables). When an attacker triggers a memory corruption bug, such as a use-after-free or type confusion in a browser, the corrupted pointer is steered to a likely address (historically 0x0c0c0c0c) where the spray guarantees the desired bytes. The technique was popularised by Skylined's 2004 Internet Explorer exploit and remains common in browser, document and font-parsing exploits. Modern defences include high-entropy ASLR, partition-isolated heaps (PartitionAlloc, Heap Isolation in Edge), control-flow integrity, and JIT mitigations that prevent attacker JS arrays from leaking into executable memory.
● Examples
- 01
Allocating hundreds of MB of JavaScript strings containing shellcode to make 0x0c0c0c0c executable shellcode after a use-after-free.
- 02
Adobe Flash exploits using Vector<uint> sprays to land ROP chains.
● Frequently asked questions
What is Heap Spraying?
An exploitation primitive that fills the heap with many copies of a payload so that a corrupted pointer is highly likely to land on attacker-controlled data. It belongs to the Attacks & Threats category of cybersecurity.
What does Heap Spraying mean?
An exploitation primitive that fills the heap with many copies of a payload so that a corrupted pointer is highly likely to land on attacker-controlled data.
How does Heap Spraying work?
Heap spraying populates large regions of process memory with predictable copies of a NOP-sled and shellcode (or, in modern variants, ROP gadgets or fake object vtables). When an attacker triggers a memory corruption bug, such as a use-after-free or type confusion in a browser, the corrupted pointer is steered to a likely address (historically 0x0c0c0c0c) where the spray guarantees the desired bytes. The technique was popularised by Skylined's 2004 Internet Explorer exploit and remains common in browser, document and font-parsing exploits. Modern defences include high-entropy ASLR, partition-isolated heaps (PartitionAlloc, Heap Isolation in Edge), control-flow integrity, and JIT mitigations that prevent attacker JS arrays from leaking into executable memory.
How do you defend against Heap Spraying?
Defences for Heap Spraying typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Heap Spraying?
Common alternative names include: Heap spray.
● Related terms
- attacks№ 469
Heap Feng Shui
Deterministic heap-grooming technique introduced by Alexander Sotirov in 2007 that arranges allocations to land vulnerable objects next to attacker-controlled ones.
- vulnerabilities№ 1193
Use-After-Free
A memory-safety bug where a program continues to use memory after it has been freed, often allowing attackers to control object state and hijack execution.
- appsec№ 064
ASLR
Address Space Layout Randomization randomizes the memory locations of code, stacks, heaps, and libraries so attackers cannot reliably predict target addresses for exploits.
- vulnerabilities№ 131
Buffer Overflow
A memory-safety flaw where a program writes past the end of an allocated buffer, corrupting adjacent memory and often enabling code execution.
● See also
- № 564JIT Spray