PHP Logins

PHP Type Juggling

PHP Type juggling is an attack where the type confusion takes place in PHP applications. When the comparison statement is used in PHP application

<?php
$dn = "dnoscp";
if ( $dn == "dnoscp"){
    echo "Same";
    }
?>   

The application is expected to provide output only when the compared statement (as of the example, line 3) are true.

Which it actually does,

But when == are used instead of === for comparisons there will come the type confusion vulnerability. The vulnerability takes advantage of the boolean values to bypass the checks. Here the input is passed as True value other than the string value. Thus this check bypasses and the output is obtained as the same

Whenever a PHP application uses a check for login its worth to try for juggling vulnerability

Machines

Patch

Using === for comparison statements

Last updated