PHP Type Juggling

PHP AND TYPE JUGGLING

PHP is a dynamically typed language, similar to Python and Javascript. This implies that when the programme is running, the variable types are verified. When utilising PHP, dynamic typing helps developers to be more versatile. However, this level of flexibility can occasionally result in unforeseen programme flow failures and potentially bring serious vulnerabilities to the application.

Type juggling means dealing with a variable type. In PHP, a variable type is a context in which it is used. If an integer value is assigned to a variable, it becomes an integer. If a string value is assigned to the variable, it becomes a String.

Let’s have a look at PHP type juggling and how it might lead to authentication bypass flaws.

HOW DOES PHP COMPARE VALUE?

Type juggling, often known as “type coercion,” is a PHP feature. This indicates that PHP will transform variables of various kinds to a single, similar type before comparing them.

For example, when the program is comparing the string “7” and the integer 7 in the scenario below:

“PHP can compare ints and strings,” says the code, which runs without issues. When you want your application to be adaptable to diverse sorts of user input, this behaviour comes in handy.

However, it’s also worth noting that this type of behaviour is a major source of bugs and security flaws.

When PHP wants to compare the text “7 puppies” to the integer 7, for example, it will try to extract the integer from the string. As a result, this comparison will return True.

But what if the string that is being compared does not contain an integer? The string will then be converted to a “0”. So the following comparison will also evaluate True:

HOW DOES A VULNERABILITY ARISE?

The most popular technique to make use of this anomaly in PHP is to use it to skip authentication

Consider the following PHP code for handling authentication:

Then, simply submitting an integer input of 0 would successfully log you in as admin since this will evaluate to True.

HOW TO AVOID TYPE JUGGLING IN PHP?

There are various actions you may take as a developer to prevent these vulnerabilities from occurring. Some of the following are discussed below:

Use strict comparison operators:

  • Always use the type-safe comparison operator “===” instead of the loose comparison operator “=” when comparing values.
  • This prevents PHP from juggling types, and the operation will only return True if the types of the two variables are likewise the same. This indicates that if (7 === “7”), the result will be False.

Specify the “strict” option for functions that compare:

  • Always look into specific functions in the PHP documentation to see if they employ loose or type-safe comparison. Check to see if rigorous comparison is an option and if so, express it in your code.
  • The in array() function in PHP, for example, utilises loose comparison by default. However, if you use the strict option, it will switch to type-safe comparison.
  • Avoid using the function if it merely gives a rough comparison and instead look for alternatives.

Avoid typecasting before comparison:

  • Avoid typecasting right before comparing values, as this will essentially deliver the same results as type juggling.

CONCLUSION

PHP is an efficient language that is versatile, convenient, and simple to learn. However, this adaptability came at a price. If the developer is not attentive, there are several characteristics in PHP that might lead to vulnerabilities.

One of the characteristics that has the potential to introduce severe vulnerabilities is type juggling. When comparing values, be extra cautious and always understand how your software is doing so.

Follow the steps discussed above along with safe coding practices to avoid such types of vulnerabilities.

What is BugBase?

BugBase is a curated marketplace for ethical hackers that helps businesses and startups set up bug bounty programs. It is India’s first consolidated bug bounty platform, which assists organizations in staying safe by providing an all-in-one platform for continuous and comprehensive security testing.

Through BugBase registering and setting up your organisation’s bug bounty program is no less than a breeze. We also provide hackers and security professionals with the platform to directly get connected with organizations that have set up their bug bounty programs and get rewarded for the risks and vulnerabilities they find.

Thank you for being part of our BugFam! Stay up to date on our latest posts and hope you had a great week!

Join our discord community for regular updates and much more fun!!

Cheers,

BugBase Team

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BugBase - The BugGyaan Blog

BugBase - The BugGyaan Blog

50 Followers

India’s first consolidated Bug Bounty Platform’s technical blog by Aditya Arun Iyer