Auth bypass with PHP type Juggling

This post will discuss PHP type juggling and how they lead to authentication bypass vulnerability.

PHP type juggling has two main comparison modes, loos(==) and strict(===). loose comparison mode has a set of operand conversion rules to make it easier for developers. with loose comparison, it is possible for developers to compare values even if they have different data types, such as integers values and strings.

For example, when you compare a string to a number, PHP will attempt to convert the string to a number and then perform a numeric comparison.

					TRUE: "0000" == int(0)
TRUE: "0e12" == int(0)
TRUE: "1abc" == int(1)
TRUE: "0abc" == int(0)
TRUE: "abc" == int(0)
TRUE: " " == int(0)

Furthermore, when you need to compare the string “5ABCD” to integer 5, PHP will attempt to extract the integer from the string. this will evaluate to TRUE.

					("5ABCD" == 5) -> TRUE

If the string does not contain an integer value, the string will then be converted to a “0”. So, The following statement will also evaluate TRUE.

					("ABCD" == 0) -> TRUE

Vulnerable code

If you can identify the authentication logic in the above code, it has a PHP string comparison.

So, How would you use this function?

					if (strcmp($_POST['password'], '$pass') == 0) {
	// do authenticated things

If you can control the “$_POST[‘password’]“, you can disrupt the above authentication check.

This is the normal way of posting a password value to the server side. 


What will happen if we submit an array instead of posting a password string like this,


If you send an array as a password string, PHP translates a POST variable like this to an empty array which causes “strcmp()” to barf.

					strcmp(array(), "your password") -> NULL

Take a look at the “strcmp” usage again “NULL == 0“. This way you can bypass login authentication using PHP type juggling. 😎


Share this post:

Leave a Reply

Your email address will not be published. Required fields are marked *