Link Search Menu Expand Document

Type Juggling in PHP

Play SecureFlag Play PHP Labs on this vulnerability with SecureFlag!

Description

When performing operations or comparisons between two different types of data, PHP will attempt to convert one to the same type as the other. Type Juggling vulnerabilities are often introduced this way through implicit conversion of which the developer is not aware. For example, the following expression will evaluate as true.

"password" == 0

Vulnerable Example

Type Juggling vulnerabilities are introduced by not using strict comparators. The following code is an example of such.

if($_POST['password'] == "secret_password") {
  ...
}

Here, by giving the password as 0, the statement will evaluate to true. This is because PHP attempts to convert "secret_password" to an integer, which it cannot, and thus, converts the string to 0.

Prevention

Always use strict comparison where possible, using === instead of == and similarly !== in place of !=.

References

PHP - Type Juggling netsparker - Sven Morgenroth - Detailed Explanation of PHP Type Juggling Vulnerabilities