PHP - Abuse PHP Type Juggling (WIP)

Type Juggling is a feature of PHP that automatically converts between different data types during comparison and arithmetic operations. It simplifies data comparison but introduces potential security risks, especially if the user input is not properly validated or sanitized.

Here we found how this can be exploited:

Imagine we caught a petition from a login page that sends the username and password values as parameters

POST /login.php HTTP 1.1
...
username=admin&password=admin

We could modify the petition to change the data type of the parameters

POST /login.php HTTP 1.1
...
username[]=admin&password[]=admin #Example converting strings into arrays

This will bypass the authentication as the values are now evaluated as arrays changing the logic of the comparison

PreviousCookie Hijacking (WIP)NextPHP - Bypass using filters (WIP)

Last updated 1 year ago