This post will discuss PHP type juggling and how they lead to authentication bypass vulnerability.
PHP type juggling has two main comparison modes, loos(==) and strict(===). loose comparison mode has a set of operand conversion rules to make it easier for developers. with loose comparison, it is possible for developers to compare values even if they have different data types, such as integers values and strings.
For example, when you compare a string to a number, PHP will attempt to convert the string to a number and then perform a numeric comparison.
TRUE: "0000" == int(0)
TRUE: "0e12" == int(0)
TRUE: "1abc" == int(1)
TRUE: "0abc" == int(0)
TRUE: "abc" == int(0)
TRUE: " " == int(0)
Furthermore, when you need to compare the string “5ABCD” to integer 5, PHP will attempt to extract the integer from the string. this will evaluate to TRUE.
("5ABCD" == 5) -> TRUE
If the string does not contain an integer value, the string will then be converted to a “0”. So, The following statement will also evaluate TRUE.
("ABCD" == 0) -> TRUE
Vulnerable code
If you can identify the authentication logic in the above code, it has a PHP string comparison.
So, How would you use this function?
if (strcmp($_POST['password'], '$pass') == 0) {
// do authenticated things
}
If you can control the “$_POST[‘password’]“, you can disrupt the above authentication check.
This is the normal way of posting a password value to the server side.
password=$pass
What will happen if we submit an array instead of posting a password string like this,
password[]=
If you send an array as a password string, PHP translates a POST variable like this to an empty array which causes “strcmp()” to barf.
strcmp(array(), "your password") -> NULL
Take a look at the “strcmp” usage again “NULL == 0“. This way you can bypass login authentication using PHP type juggling. 😎