Type Juggling (also known as Type Confusion) vulnerabilities are a class of vulnerability wherein an object is initialized or accessed as the incorrect type, allowing an attacker to potentially bypass authentication or undermine the type safety of an application, possibly leading to arbitrary code execution.
A successful Type Juggling attack can result in the complete compromise of the confidentiality, integrity, and availability of the target system. For example, the type confusion vulnerability CVE-2015-0336 in Adobe Flash Player allows an attacker to execute arbitrary code, which could lead to unauthorized access or the modification of data.
In development, it is essential to ensure that resources are initialized and accessed as the intended type.
In statically-typed languages, take extra care where type casting occurs, using the strictest cast or type possible (i.e., in the case of handling a subclass, cast to the subclass rather than the parent). In a dynamically-typed language, type casting can occur implicitly, for example, in PHP
"0e1" == "0" evaluates to
0e1 is cast to the integer
0. In these cases, it is important to use strict comparators such as
=== in PHP.
Verify that data is strongly typed and validated against a defined schema. Verify also that strict comparison is used wherever possible and that objects cannot be initialized with or accessed through the incorrect type.
- OWASP ASVS: 5.1.4
- OWASP Testing Guide: Test Defenses Against Application Misuse, Business Logic Testing