php-type-juggling.md 1.6 KB
title: PHP Type Juggling categories: [cheatsheets]
tags: [security, web]
PHP Type Juggling
Reference: PHPMagicTricks-TypeJuggling.pdf
PHP has two main comparison modes, lets call them loose (==) and strict (===).
Comparing a string to an integer: "asomepass" == 1
- Php trys to convert the string to a number and do an number conversion.
- If there is an character in that string it returns as 0 (zero)
For Example:
"asd1231" == int(0) : True
"abc" == int(0) : True
"0000" == int(0) : True
-> Even when having to strings that look like numbers, php converts both and does a number comparison
"0xF" == "15" : True ...
Possible for bypassing CSRF token checking!
if the token starts with a letter or int(0), php will convert the token to an integer.
php > $a="0e1235432423";
php > $b="0e414512e12";
php > var_dump($a==$b);
-----------------------
bool(false)
-----------------------
php > var_dump($a===$b);
-----------------------
bool(false)
-----------------------
php > var_dump($a==$b);
-----------------------
bool(false)
-----------------------
php > $c=0e1231331;
-----------------------
php > var_dump($a==$c);
bool(true)
php > var_dump($b==$c);
bool(true)